[selinux] Re: [selinux] Re: Right way to do CGI that does complicated things?
Robin Lee Powell
rlpowell at digitalkingdom.org
Sat Sep 3 05:42:13 UTC 2011
OK, between that (thanks Jason) and a friend's reminder to read "man
httpd_selinux", I think I've got a decent solution worked out:
Script is httpd_sys_script_exec_t , which gives it sendmail perms.
The data files are public_content_rw_t (so the user can set it
themselves; I could do httpd_sys_rw_content_t, but then I'd have to
set it).
setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
public_content_rw_t to work.
And it seems to be fine now; no AVCs.
-Robin
On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
> OK, read that (again :), played around a bit. According to "sudo
> sesearch -T -t sendmail_exec_t":
>
> type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
>
> but there's no similar one for any of the other httpd script
> transitions. I suppose I should try marking it with
> httpd_sys_script_t and see how it goes.
>
> -Robin
>
> On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
> > Hi Robin,
> >
> > I can't really answer your questions about what you should do, but
> > I wanted to provide a link that shows why httpd_user_script_t is
> > not transitioning to sendmail_t.
> >
> > http://danwalsh.livejournal.com/23944.html
> >
> > Jason
> >
> > On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
> > <rlpowell at digitalkingdom.org> wrote:
> > >
> > > (Background: My SELinux hosts are all F15, fairly base installation,
> > > with the unconfined module disabled)
> > >
> > > I have a host that is for random hackery, and hence is (or at least
> > > is allowed to be) less secure than the others.
> > >
> > > I have a user who made a CGI (running under apache; python, in case
> > > that matters) that pulls things from elsewhere on the web and then
> > > sends email with the results.
> > >
> > > This generates a pretty large number of AVC denials, which I suppose
> > > is reasonable since that behaviour looks an awful lot like "I just
> > > got hijacked and am now being used for spam distribution".
> > >
> > > One thing I was genuinely surprised by though is that the
> > > mail-related denials all came in for httpd_user_script_t , rather
> > > than sendmail_t or something, and that no attempt to transition to
> > > sendmail_t seems to have occured or been denied or anything, as I'd
> > > have expected (it sends mail with /bin/mail ).
> > >
> > > FWIW, here's the AVCs:
> > >
> > > http://fpaste.org/ZyHg/ (uses date from the input form only)
> > >
> > > http://fpaste.org/M9Fq/ (goes out and talks to another website)
> > >
> > > I've learned a lot about SELinux recently, but it's all been
> > > piecemeal, so this is more of a "what's the right thing?" question
> > > designed to for me to learn from more than "what's the fastest way
> > > to fix this?".
> > >
> > > So, what's the right way to handle this situation?
> > >
> > > httpd_user_script_exec_t doesn't do the trick at all (which is
> > > probably good since it turns out user_u can set that with chcon,
> > > which I didn't expect).
> > >
> > > Is there some way without installing a module (i.e. with semanage or
> > > similar) to indicate to SELinux "Yeah, this script over here? It
> > > can talk to the web" (or "send email")?
> > >
> > > Is there a way to indicate that system-wide without installing a
> > > module? (not that I would, just curious)
> > >
> > > If doing it via module, it's best to create a bobs_script_exec_t and
> > > bobs_script_t and do everything for those types, rather than
> > > httpd_user_script_exec_t and friends, right? This means that a user
> > > making a non-trivial CGI has to come talk to me, which is a tad
> > > unfortunate but not horrible.
> > >
> > > Thanks for all enlightenment here, and please feel free to go the
> > > "you're thinking about it wrong" route; I'm really wanting to learn.
> > >
> > > -Robin
> > >
> > > --
> > > http://singinst.org/ : Our last, best hope for a fantastic future.
> > > Lojban (http://www.lojban.org/): The language in which "this parrot
> > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> > > --
> > > selinux mailing list
> > > selinux at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> http://singinst.org/ : Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
More information about the selinux
mailing list