Right way to do CGI that does complicated things?
Jason Axelson
jaxelson at referentia.com
Fri Sep 2 23:50:13 UTC 2011
Hi Robin,
I can't really answer your questions about what you should do, but I
wanted to provide a link that shows why httpd_user_script_t is not
transitioning to sendmail_t.
http://danwalsh.livejournal.com/23944.html
Jason
On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
<rlpowell at digitalkingdom.org> wrote:
>
> (Background: My SELinux hosts are all F15, fairly base installation,
> with the unconfined module disabled)
>
> I have a host that is for random hackery, and hence is (or at least
> is allowed to be) less secure than the others.
>
> I have a user who made a CGI (running under apache; python, in case
> that matters) that pulls things from elsewhere on the web and then
> sends email with the results.
>
> This generates a pretty large number of AVC denials, which I suppose
> is reasonable since that behaviour looks an awful lot like "I just
> got hijacked and am now being used for spam distribution".
>
> One thing I was genuinely surprised by though is that the
> mail-related denials all came in for httpd_user_script_t , rather
> than sendmail_t or something, and that no attempt to transition to
> sendmail_t seems to have occured or been denied or anything, as I'd
> have expected (it sends mail with /bin/mail ).
>
> FWIW, here's the AVCs:
>
> http://fpaste.org/ZyHg/ (uses date from the input form only)
>
> http://fpaste.org/M9Fq/ (goes out and talks to another website)
>
> I've learned a lot about SELinux recently, but it's all been
> piecemeal, so this is more of a "what's the right thing?" question
> designed to for me to learn from more than "what's the fastest way
> to fix this?".
>
> So, what's the right way to handle this situation?
>
> httpd_user_script_exec_t doesn't do the trick at all (which is
> probably good since it turns out user_u can set that with chcon,
> which I didn't expect).
>
> Is there some way without installing a module (i.e. with semanage or
> similar) to indicate to SELinux "Yeah, this script over here? It
> can talk to the web" (or "send email")?
>
> Is there a way to indicate that system-wide without installing a
> module? (not that I would, just curious)
>
> If doing it via module, it's best to create a bobs_script_exec_t and
> bobs_script_t and do everything for those types, rather than
> httpd_user_script_exec_t and friends, right? This means that a user
> making a non-trivial CGI has to come talk to me, which is a tad
> unfortunate but not horrible.
>
> Thanks for all enlightenment here, and please feel free to go the
> "you're thinking about it wrong" route; I'm really wanting to learn.
>
> -Robin
>
> --
> http://singinst.org/ : Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
More information about the selinux
mailing list