AVC question
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 14 17:04:45 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/11/2013 11:34 AM, David Highley wrote:
> "Daniel J Walsh wrote:"
>>
> On 01/09/2013 05:22 PM, Dominick Grift wrote:
>>>> On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
>>>>> "Daniel J Walsh wrote:"
>>>>>>
>>>> On 01/08/2013 11:28 PM, David Highley wrote:
>>>>>>>> I get the following avc from using mythtv's web interface.
>>>>>>>>
>>>>>>>> ---- time->Tue Jan 8 19:14:57 2013 type=SYSCALL
>>>>>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109
>>>>>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0
>>>>>>>> ppid=5777 pid=8018 auid=4294967295 uid=48 gid=48 euid=48
>>>>>>>> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl"
>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1357701297.336:4077): avc: denied {
>>>>>>>> setpgid } for pid=8018 comm="mythweb.pl"
>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tclass=process ---- time->Tue Jan 8 19:17:56 2013
>>>>>>>> type=SYSCALL msg=audit(1357701476.763:4085): arch=c000003e
>>>>>>>> syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
>>>>>>>> items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48
>>>>>>>> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl"
>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1357701476.763:4085): avc: denied {
>>>>>>>> setpgid } for pid=8113 comm="mythweb.pl"
>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tclass=process
>>>>>>>>
>>>>>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl
>>>>>>>> -rwxr-xr-x. apache apache
>>>>>>>> system_u:object_r:httpd_sys_script_exec_t:s0
>>>>>>>> /usr/share/mythweb/mythweb.pl
>>>>>>>>
>>>>>>>> Should I need to define the following?
>>>>>>>>
>>>>>>>> require { type httpd_sys_script_t; class process setpgid; }
>>>>>>>>
>>>>>>>> #============= httpd_sys_script_t ============== allow
>>>>>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing
>>>>>>>> list selinux at lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>> Yes, although I guess the question is whether we should allow this
>>>> by default. What risk do we have from allowing cgi script the ability
>>>> to call setpgid.
>>>>>>
>>>>>> The only information I could find were previous
>>>>>> bugzilla.redhat.com reports which seemed to recommend local
>>>>>> policy and a 2003 SANS Institute report titled, Global
>>>>>> Information Assurance Certification Paper which seemed to
>>>>>> indicate allowing it. Oh, and I did ask one of our information
>>>>>> assurance people who did not know if there were any issues.
>>>>>>
>>>>
>>>>> we do not have to run mythweb.pl in httpd_sys_script_t domain:
>>>>
>>>>> echo "policy_module(mymythweb, 1.0.0)
>>>>> apache_content_template(mymythweb) allow httpd_mymythweb_script_t
>>>>> self:process setpgid;" > mymythweb.te
>>>>
>>>>> echo "/usr/share/mythweb/mythweb\.pl --
>>>>> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
>>>>> mymythweb.fc
>>>>
>>>>> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo
>>>>> semodule mymythweb.pp sudo restorecon -v
>>>>> /usr/share/mythweb/mythweb.pl
>>>>
>>>>
>>>>>>
>>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>
> Seems like an idea, not sure what mythweb does? Where is its content
> stored?
>
>> It is the web interface to mythtv which I believe there is all ready
>> previous selinux policy for. The scripts are located in
>> /usr/share/mythweb. Should I open a bug report? Which approach should I
>> recommend in the report?
>
>
>>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Yes a bug report would be good with a description of what files need to be
written by the cgi scripts.
Basically I would like to write a policy type httpd_mythtv_script_t and then
add appropriate rules and types for files this type might need to write to.
/var/log? /var/lib? /run? /var? ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0Oq0ACgkQrlYvE4MpobMhLwCeO06Rkih99pcwtjqT/ZBw7yPW
0JQAmwWy9sqRSQkX71TTp83uIeQEB2dk
=BSxZ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list