On Oct 20, 2010, at 3:17 AM, Miroslav Grepl wrote:
>
So does it work with these rules, labels and with the policy which we shipped?
The mediawiki rpm in Fedora is unusable, the mere fact they put site into /var/www/wiki
breaks ability to have
site.com/wiki/ with short urls (mod_rewrite).
But this is beyond the scope of this distro.
I just installed the unmodified mediawiki into /var/www/mediawiki and set the following
context:
/var/www/mediawiki(/.*)? system_u:object_r:httpd_mediawiki_content_t:s0
/var/www/mediawiki/images(/.*)? system_u:object_r:httpd_mediawiki_rw_content_t:s0
/var/www/mediawiki/config(/.*)? system_u:object_r:httpd_mediawiki_rw_content_t:s0
/var/www/mediawiki/cache(/.*)? system_u:object_r:httpd_cache_t:s0
/var/www/mediawiki/bin(/.*)? system_u:object_r:httpd_mediawiki_script_exec_t:s0
1. Since mediawiki package claims to support multiple instances, I think policy should
heave some sort of regex:
/var/www/([^/]*wiki(/.*)? for example
2. the standard policy makes everything writable by default and only .php wiles protected.
Don't think its right.
what about .php5 or .inc files that comes with extensions or READMEs for that matter? I
thought it should be "least privileges".
Mediwaiki needs write access only under "images" where it stores uploaded
content and under 'config' it has to create one file LocalSettings.php during
initial installation.
Which then should be manually copied into "main" directory. Nothing else.
3. mediawiki 'bin' scripts are not included into policy at all. I added them and
here are the AVC I still got:
----
time->Mon Oct 25 09:47:41 2010
type=SYSCALL msg=audit(1288014461.588:565): arch=40000003 syscall=11 success=yes exit=0
a0=97cea00 a1=97cea28 a2=97cd660 a3=97cea28 items=0 ppid=6259 pid=6269 auid=1001 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=10
comm="ulimit4.sh" exe="/bin/bash"
subj=unconfined_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
type=AVC msg=audit(1288014461.588:565): avc: denied { read } for pid=6269
comm="ulimit4.sh" path="/var/www/mediawiki/cache/l10n_cache-en.cdb"
dev=dm-3 ino=10174 scontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0
tcontext=unconfined_u:object_r:httpd_cache_t:s0 tclass=file
----
time->Mon Oct 25 09:47:41 2010
type=SYSCALL msg=audit(1288014461.597:566): arch=40000003 syscall=75 success=yes exit=0
a0=0 a1=bfbb6ddc a2=41aff4 a3=0 items=0 ppid=6259 pid=6269 auid=1001 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=10 comm="ulimit4.sh"
exe="/bin/bash" subj=unconfined_u:system_r:httpd_mediawiki_script_t:s0
key=(null)
type=AVC msg=audit(1288014461.597:566): avc: denied { setrlimit } for pid=6269
comm="ulimit4.sh" scontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0
tcontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0 tclass=process
So, I think 'cache' needs to be marked as httpd_mediawiki_rw_content_t instead of
httpd_cache_t and
allow httpd_mediawiki_script_t self:process setrlimit;
needs to be added.
I didn't get denials because of the "tmp" files that has started this
thread, so it's a good sign at least.
Now I will try to adapt the policy for rhel5 and report back, I wasn't lucky at the
first try, probably conflict with my previously defined mediawiki policy.
Or maybe I should remove mediawiki.if file when I compile it there?
Thanks,
Vadym