Re: Selinux + ruby + httpd
On Thu, Jul 22, 2010 at 02:16:16PM -0600, Erinn Looney-Triggs wrote:
In trying to develop some SELinux exceptions (via audit2allow) for
a
ruby application I came up with the following:
module myruby 1.0;
require {
type httpd_tmp_t;
type lib_t;
type httpd_t;
type tmp_t;
class sock_file { write create unlink getattr setattr };
class capability { fowner fsetid };
class file { read getattr execute_no_trans };
class fifo_file { create unlink getattr setattr };
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
allow httpd_t lib_t:file execute_no_trans; #This one is due to
mod_passenger being labelled lib_t
allow httpd_t self:capability { fowner fsetid };
allow httpd_t tmp_t:file { read getattr };
Now the first question I have, is there anything egregiously bad in
there? Aside from lib_t execute due to auto label labelling
mod_passenger as lib_t.
My second question is, I have this policy working on one machine, moved
it to another machine and everything worked, this application was then
deployed on a third machine and I figured, I would just insert the
module again. Well installing the module worked fine but apache is
trying to use a different type on this machine, from audit2allow:
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
allow httpd_sys_script_t self:capability { setuid setgid };
Why all the sudden is this machine using httpd_sys_script_t instead of
httpd_t which my other systems use? All the boxes are RHEL 5.5 x64 fully
patched running selinux-policy-2.4.6-279.el5. Now it is possible that
the myruby.pp module mentioned above is working just fine, but why then
would this one system need these extra privileges? Exact same codebase
for the ruby application across the systems. Any insight would be
appreciated.
Not sure but it is likely due to labelling of the the modpassenger files or/and your
boolean configuration.
Basically the httpd system script domain has less privileges. But the fact that httpd_t
can transition when running mod-passenger offers
some possibilities. ( you could make httpd transition to a private domain for mod
passenger, that way you do not have to modify the httpd or httpd system script domains to
allow them more privileges.
The privileges for httpd_t do not look too bad. you could label the lib with tyoe bin_t
that way it can be executed. httpd managing
socks and pipes is not so bad either. The capabilities however, should be prevented
whenever possible.
Especially the setuidlgetgid for the httpd sys domain. Also the httpd system script
writing to pseudo terminals in something that i would probably try to prevent.
I would (i think i actually write policy for mod_passenger before: but i dont have it
anymore) make httpd_t transition to a private passenger domain and give that domain the
required privileges.
I could help you create a module for this if youre interested.
Thanks,
-Erinn
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachments:
- attachment.sig (application/pgp-signature — 198 bytes)