Transitions for files.
Vadym Chepkov
vchepkov at gmail.com
Mon Oct 25 15:12:27 UTC 2010
On Oct 20, 2010, at 3:17 AM, Miroslav Grepl wrote:
>>
> So does it work with these rules, labels and with the policy which we shipped?
The mediawiki rpm in Fedora is unusable, the mere fact they put site into /var/www/wiki breaks ability to have site.com/wiki/ with short urls (mod_rewrite).
But this is beyond the scope of this distro.
I just installed the unmodified mediawiki into /var/www/mediawiki and set the following context:
/var/www/mediawiki(/.*)? system_u:object_r:httpd_mediawiki_content_t:s0
/var/www/mediawiki/images(/.*)? system_u:object_r:httpd_mediawiki_rw_content_t:s0
/var/www/mediawiki/config(/.*)? system_u:object_r:httpd_mediawiki_rw_content_t:s0
/var/www/mediawiki/cache(/.*)? system_u:object_r:httpd_cache_t:s0
/var/www/mediawiki/bin(/.*)? system_u:object_r:httpd_mediawiki_script_exec_t:s0
1. Since mediawiki package claims to support multiple instances, I think policy should heave some sort of regex:
/var/www/([^/]*wiki(/.*)? for example
2. the standard policy makes everything writable by default and only .php wiles protected. Don't think its right.
what about .php5 or .inc files that comes with extensions or READMEs for that matter? I thought it should be "least privileges".
Mediwaiki needs write access only under "images" where it stores uploaded content and under 'config' it has to create one file LocalSettings.php during initial installation.
Which then should be manually copied into "main" directory. Nothing else.
3. mediawiki 'bin' scripts are not included into policy at all. I added them and here are the AVC I still got:
----
time->Mon Oct 25 09:47:41 2010
type=SYSCALL msg=audit(1288014461.588:565): arch=40000003 syscall=11 success=yes exit=0 a0=97cea00 a1=97cea28 a2=97cd660 a3=97cea28 items=0 ppid=6259 pid=6269 auid=1001 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=10 comm="ulimit4.sh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
type=AVC msg=audit(1288014461.588:565): avc: denied { read } for pid=6269 comm="ulimit4.sh" path="/var/www/mediawiki/cache/l10n_cache-en.cdb" dev=dm-3 ino=10174 scontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0 tcontext=unconfined_u:object_r:httpd_cache_t:s0 tclass=file
----
time->Mon Oct 25 09:47:41 2010
type=SYSCALL msg=audit(1288014461.597:566): arch=40000003 syscall=75 success=yes exit=0 a0=0 a1=bfbb6ddc a2=41aff4 a3=0 items=0 ppid=6259 pid=6269 auid=1001 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=10 comm="ulimit4.sh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
type=AVC msg=audit(1288014461.597:566): avc: denied { setrlimit } for pid=6269 comm="ulimit4.sh" scontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0 tcontext=unconfined_u:system_r:httpd_mediawiki_script_t:s0 tclass=process
So, I think 'cache' needs to be marked as httpd_mediawiki_rw_content_t instead of httpd_cache_t and
allow httpd_mediawiki_script_t self:process setrlimit;
needs to be added.
I didn't get denials because of the "tmp" files that has started this thread, so it's a good sign at least.
Now I will try to adapt the policy for rhel5 and report back, I wasn't lucky at the first try, probably conflict with my previously defined mediawiki policy.
Or maybe I should remove mediawiki.if file when I compile it there?
Thanks,
Vadym
More information about the selinux
mailing list