Hello,
mediawiki software has a following script, ImageMagick gets invoked using it:
$ cat /var/www/mediawiki/bin/ulimit4.sh #!/bin/bash
ulimit -t $1 -v $2 -f $3 eval "$4"
I added /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0
into local policy. I receive the following AVC denial:
type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
audit2allow suggests the following:
allow httpd_sys_script_t httpd_t:file read;
but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion? Thank you.
Sincerely yours, Vadym Chepkov
On Wed, 2009-03-11 at 10:01 -0700, Vadym Chepkov wrote:
Hello,
mediawiki software has a following script, ImageMagick gets invoked using it:
$ cat /var/www/mediawiki/bin/ulimit4.sh #!/bin/bash
ulimit -t $1 -v $2 -f $3 eval "$4"
I added /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0
into local policy. I receive the following AVC denial:
type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
audit2allow suggests the following:
allow httpd_sys_script_t httpd_t:file read;
but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion?
Looks like it wants to read some httpd process info. As far as i am concerned you can allow this access with a local policy:
echo "avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file" | audit2allow -M myhttpdsysscript; /usr/sbin/semodule -i myhttpdsysscript.pp
Mind the line breaks.
to undo:semodule -r myhttpdsysscript
You can also run this script in a unique domain. This would require you to write policy for it. Something like:
mkdir ~/mediawikiscript; cd ~/mediawikiscript; echo "policy_module(mediawikiscript, 0.0.1)" > mediawikiscript.te echo "apache_content_template(mediawikiscript) >> mediawikiscript.te echo "allow httpd_mediawikiscript_script_t httpd_t:file read;" echo "/var/www/mediawiki/bin/.* gen_context(system_u:object_r:httpd_mediawikiscript_script_exec_t" > mediawikiscript.fc
(watch the line breaks)
make -f /usr/share/selinux/devel/Makefile semodule -i mediawikiscript.pp restorecon -R -v /var/www/mediawiki/bin/
Thank you.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org