apache and setroubleshot policy oddities
Dominick Grift
dominick.grift at gmail.com
Thu Mar 14 15:06:50 UTC 2013
On Thu, 2013-03-14 at 10:50 -0400, m.roth at 5-cent.us wrote:
> allow httpd_t httpd_log_t:file write;
>
> Why on earth can't something running as httpd_t write to a logfile of
> httpd_log_t in /var/log/httpd/?
>
Because httpd, and any webapps running in the httpd_t domain should open
the log file for "append" rather than "write"
By allowing httpd_t to "write" to the log file, one allows httpd and any
webapp running in the httpd_t domain to remove log entries. Thus
manipulating the audit trail. A compromized webapp could erase traces.
Auditing is generally important, for legal purposes and to figure out
where a breach originated. It helps if one can trust to some extent the
integrity of ones log files.
It's common practice for coders to open log files for append only.
So i consider this a bug in the webapp.
You can, if you want use audit2allow to allow this event but that is not
encouraged.
> And then there's this...
>
> #============= setroubleshootd_t ==============
> allow setroubleshootd_t httpd_sys_script_t:dir read;
> allow setroubleshootd_t httpd_sys_script_t:file getattr;
>
> Shouldn't setroubleshootd have rights?
I guess it wants to read a webapp process state files. Not sure if that
should be allowed.
More information about the selinux
mailing list