Re: CGI Script permissions

Paul Howarth wrote: > On Thu, 2006-06-08 at 15:03 -0400, Daniel J Walsh wrote: >> Paul Howarth wrote: >>> On Fri, 2006-05-26 at 14:18 -0400, Daniel J Walsh wrote: >>>> Paul Howarth wrote: >>>> >>>>> I made something similar for my moin wiki running under mod_fcgid: >>>>> >>>>> te file: >>>>> >>>>> policy_module(apache, 0.2.1) >>>>> >>>>> require { >>>>> type devpts_t; >>>>> type httpd_t; >>>>> type httpd_log_t; >>>>> type httpd_sys_script_exec_t; >>>>> type var_run_t; >>>>> }; >>>>> >>>>> # ========================================================== >>>>> # Create and use httpd_fastcgi_script_t for mod_fcgid apps >>>>> # ========================================================== >>>>> >>>>> apache_content_template(fastcgi) >>>>> kernel_read_kernel_sysctls(httpd_fastcgi_script_t) >>>>> >>>>> # Allow FastCGI applications to live alongside regular CGI apps >>>>> allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { >>>>> search_dir_perms }; >>>>> >>>>> # Allow FastCGI applications to listen for FastCGI requests on their >>>>> # sockets and respond to them >>>>> allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { >>>>> rw_stream_socket_perms }; >>>>> >>>>> # FastCGI application doing something to the httpd error log >>>>> dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; >>>>> >>>>> # Not sure what this is doing (happens when fastcgi scripts start) >>>>> dontaudit httpd_t devpts_t:chr_file ioctl; >>>>> >>>>> # mod_fcgid setting attr of its socket dir >>>>> allow httpd_t var_run_t:dir setattr; >>>>> >>>> Why not create a context for its socket dir so you don't need this >>>> for var_run? >>>> >>> The obvious type to use would really be httpd_var_run_t rather than >>> creating a new type (comparing with other users of /var/run). In fact I >>> think I tried that but it seemed worse than leaving it the default >>> var_run_t and adding the one allow rule. What would you suggest? >>> >>> >> What errors do you see? >> >> We already have these rules in policy >> >> allow httpd_t httpd_var_run_t:file create_file_perms; >> allow httpd_t httpd_var_run_t:sock_file create_file_perms; >> allow httpd_t httpd_var_run_t:dir rw_dir_perms; >> files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file }) >> >> Which should be able to handle this if you relabel the /var/run/XYZ dir. > > Looks like it's just the same one now: > > type=AVC msg=audit(1149799121.917:265395): avc: denied { setattr } for > pid=10825 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 > scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dirtype=SYSCALL > msg=audit(1149799121.917:265395): arch=40000003 syscall=212 success=yes > exit=0 a0=87639d0 a1=30 a2=ffffffff a3=30 items=1 pid=10825 auid=500 > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" > exe="/usr/sbin/httpd" > type=CWD msg=audit(1149799121.917:265395): cwd="/" > type=PATH msg=audit(1149799121.917:265395): item=0 > name="/etc/httpd/run/mod_fcgid" flags=1 inode=458818 dev=fd:04 > mode=040755 ouid=48 ogid=48 rdev=00:00 > > (/etc/httpd/run is a symlink to /var/run) > > So I guess I just change the rule to be for httpd_var_run_t rather than > var_run_t (rw_dir_perms doesn't include setattr)? I decided to use a completely new type instead of reusing an existing one. New policy: ####### fastcgi.fc ####### /var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_fastcgi_sock_t,s0) ####### fastcgi.te ####### policy_module(fastcgi, 0.1.2) type httpd_fastcgi_sock_t; files_type(httpd_fastcgi_sock_t) require { type devpts_t; type httpd_t; type httpd_config_t; type httpd_log_t; type httpd_sys_script_exec_t; type httpd_sys_content_t; }; # ========================================================== # Create and use httpd_fastcgi_script_t for mod_fcgid apps # ========================================================== apache_content_template(fastcgi) kernel_read_kernel_sysctls(httpd_fastcgi_script_t) # Allow FastCGI applications to live alongside regular CGI apps allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms }; allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms }; # Allow FastCGI applications to read the routing table allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms }; # Allow httpd to create and use sockets for communicating with mod_fcgid allow httpd_t httpd_fastcgi_sock_t:dir { rw_dir_perms setattr }; allow httpd_t httpd_fastcgi_sock_t:sock_file { create_file_perms }; # Allow FastCGI applications to listen for FastCGI requests on their # sockets and respond to them allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; # FastCGI application doing something to the httpd error log dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl; # Not sure what this is doing (happens when fastcgi scripts start) dontaudit httpd_t devpts_t:chr_file ioctl; # ====================================================== # Equivalent policy cribbed from httpd_sys_script_t # ====================================================== dontaudit httpd_fastcgi_script_t httpd_config_t:dir search; files_search_var_lib(httpd_fastcgi_script_t) files_search_spool(httpd_fastcgi_script_t) ifdef(`distro_redhat',` allow httpd_fastcgi_script_t httpd_log_t:file { getattr append }; ') ifdef(`targeted_policy',` tunable_policy(`httpd_enable_homedirs',` userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t) ') ') optional_policy(` mysql_stream_connect(httpd_fastcgi_script_t) mysql_rw_db_sockets(httpd_fastcgi_script_t) ')