gpg through apache and php?

[Stephen Smalley]

On Wed, 2005-04-27 at 22:09 -0400, brett wrote:
> httpd_disable_trans     active

What?  That should have disabled all protection on httpd, i.e. the
transition into httpd_t in the first place.  Or did you just make that
change after being unable to get it to work?

> httpd_enable_homedirs   active

Allows access to user home directories.  For better security, disable.

> httpd_unified           active

This folds together the distinct types of web content; preferable to
disable it if possible.

> /home/test/.gnupg
> 
> test is a user. Also, i plan on using symmetric encryption so i don't
> think it needs the keyring file.

Why isn't it just part of the web tree under /var/www so that you can
prohibit access to user home directories entirely?

> Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc:  denied  {
> execute } for  pid=6266 comm=gpg path=/etc/ld.so.cache dev=dm-0
> ino=3919093 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:ld_so_cache_t tclass=file
> Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc:  denied  {
> execmod } for  pid=6266 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=4972274
> scontext=user_u:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:bin_t tclass=file

This is a result of gpg being marked as requiring an executable stack
(and still looks that way in FC4/devel - execstack -q /usr/bin/gpg
reports X - Dan?).  With a newer kernel (>= 2.6.12-rc2, also included in
FC4/devel kernels), you'd at least avoid the noise on ld.so.cache due to
the checkreqprot compatibility support.  But you would still need
execmod on the gpg binary; under strict policy, gpg has its own separate
executable type (gpg_exec_t) and domain (gpg_t), so we only need to
allow execmod for that particular case.  What's suggested for FC3
targeted policy, Dan?

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency