AVC question

David Highley dhighley at highley-recommended.com
Tue Jan 15 04:22:46 UTC 2013 

"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/11/2013 11:34 AM, David Highley wrote:
> > "Daniel J Walsh wrote:"
> >> 
> > On 01/09/2013 05:22 PM, Dominick Grift wrote:
> >>>> On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
> >>>>> "Daniel J Walsh wrote:"
> >>>>>> 
> >>>> On 01/08/2013 11:28 PM, David Highley wrote:
> >>>>>>>> I get the following avc from using mythtv's web interface.
> >>>>>>>> 
> >>>>>>>> ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL 
> >>>>>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109 
> >>>>>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0
> >>>>>>>> ppid=5777 pid=8018 auid=4294967295 uid=48 gid=48 euid=48
> >>>>>>>> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
> >>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >>>>>>>> type=AVC msg=audit(1357701297.336:4077): avc:  denied  {
> >>>>>>>> setpgid } for pid=8018 comm="mythweb.pl" 
> >>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
> >>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
> >>>>>>>> tclass=process ---- time->Tue Jan  8 19:17:56 2013
> >>>>>>>> type=SYSCALL msg=audit(1357701476.763:4085): arch=c000003e
> >>>>>>>> syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
> >>>>>>>> items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48
> >>>>>>>> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> >>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
> >>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >>>>>>>> type=AVC msg=audit(1357701476.763:4085): avc:  denied  {
> >>>>>>>> setpgid } for pid=8113 comm="mythweb.pl" 
> >>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
> >>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
> >>>>>>>> tclass=process
> >>>>>>>> 
> >>>>>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl 
> >>>>>>>> -rwxr-xr-x. apache apache 
> >>>>>>>> system_u:object_r:httpd_sys_script_exec_t:s0 
> >>>>>>>> /usr/share/mythweb/mythweb.pl
> >>>>>>>> 
> >>>>>>>> Should I need to define the following?
> >>>>>>>> 
> >>>>>>>> require { type httpd_sys_script_t; class process setpgid; }
> >>>>>>>> 
> >>>>>>>> #============= httpd_sys_script_t ============== allow 
> >>>>>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing
> >>>>>>>> list selinux at lists.fedoraproject.org 
> >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>> 
> >>>> Yes, although I guess the question is whether we should allow this
> >>>> by default. What risk do we have from allowing cgi script the ability
> >>>> to call setpgid.
> >>>>>> 
> >>>>>> The only information I could find were previous
> >>>>>> bugzilla.redhat.com reports which seemed to recommend local
> >>>>>> policy and a 2003 SANS Institute report titled, Global
> >>>>>> Information Assurance Certification Paper which seemed to
> >>>>>> indicate allowing it. Oh, and I did ask one of our information
> >>>>>> assurance people who did not know if there were any issues.
> >>>>>> 
> >>>> 
> >>>>> we do not have to run mythweb.pl in httpd_sys_script_t domain:
> >>>> 
> >>>>> echo "policy_module(mymythweb, 1.0.0)
> >>>>> apache_content_template(mymythweb) allow httpd_mymythweb_script_t
> >>>>> self:process setpgid;" > mymythweb.te
> >>>> 
> >>>>> echo "/usr/share/mythweb/mythweb\.pl -- 
> >>>>> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
> >>>>>  mymythweb.fc
> >>>> 
> >>>>> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo
> >>>>> semodule mymythweb.pp sudo restorecon -v
> >>>>> /usr/share/mythweb/mythweb.pl
> >>>> 
> >>>> 
> >>>>>> 
> >>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>> 
> >>>> 
> >>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>> 
> > 
> > Seems like an idea, not sure what mythweb does?  Where is its content
> > stored?
> > 
> >> It is the web interface to mythtv which I believe there is all ready 
> >> previous selinux policy for. The scripts are located in 
> >> /usr/share/mythweb. Should I open a bug report? Which approach should I 
> >> recommend in the report?
> > 
> > 
> >> 
> > -- selinux mailing list selinux at lists.fedoraproject.org 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> Yes a bug report would be good  with a description of what files need to be
> written by the cgi scripts.
> 
> Basically I would like to write a policy type httpd_mythtv_script_t and then
> add appropriate rules and types for files this type might need to write to.
> 
> /var/log?  /var/lib? /run? /var?  ...

Fixed places it can write are:
/var/log/mythtv - log files
/var/lib/mythtv - home directory which appears not to be used
/etc/mythtv - configuration files it reads

Recording location is user configurable so it can be anywhere including
remote NFS storage and can be divided into separate areas for different
types of multimedia. Since one of the many ways to access this area is
the web interface we have done the following:
semanage fcontext -a -t httpd_sys_content_t /export/recordings

Types of files written for video recordings are:
.mpg - mpeg video file
.mpg.png - image clip file

Then depending on need recordings can be post processed and transcoded
into many other formats like .mp4, H 264 format, AVI, and the list could
be quite long. We create a subdirectory in the recording area and store
the mysql database backups there which have an extension of .sql.gz. But
the backups could be configured to be stored anywhere.

Mythtv also uses mysql so we set the following sebools on:
setsebool -P nfs_export_all_rw on
setsebool -P httpd_builtin_scripting on
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_network_connect_db on
setsebool -P httpd_use_nfs on

My old notes indicate that we needed to do the following, but I'm not
sure it is still needed.
chcon -v -t httpd_sys_rw_content_t /usr/share/mythweb/data

This is a large application and we do not use all of it so there maybe
other places it can write. We do see NFS automount requests for places
that do not exist in our system. You might want to talk with Jarod
Wilson who works I think in your area for Red Hat. He has been a long
time user of Mythtv and may have done some development on the
application.

I will move this information to a bug report if I have all the
information you need.

> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlD0Oq0ACgkQrlYvE4MpobMhLwCeO06Rkih99pcwtjqT/ZBw7yPW
> 0JQAmwWy9sqRSQkX71TTp83uIeQEB2dk
> =BSxZ
> -----END PGP SIGNATURE-----
>

More information about the selinux mailing list