Right way to do CGI that does complicated things?
Miroslav Grepl
mgrepl at redhat.com
Mon Sep 5 13:04:36 UTC 2011
On 09/03/2011 06:03 AM, Robin Lee Powell wrote:
> The user can't manipulate the public_content_rw_t files from eir
> own shell, though, which is not so great.
Do you confine also users by SELinux?
> -Robin
>
> On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote:
>> OK, between that (thanks Jason) and a friend's reminder to read
>> "man httpd_selinux", I think I've got a decent solution worked
>> out:
>>
>> Script is httpd_sys_script_exec_t , which gives it sendmail perms.
>>
>> The data files are public_content_rw_t (so the user can set it
>> themselves; I could do httpd_sys_rw_content_t, but then I'd have
>> to set it).
>>
>> setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
>> public_content_rw_t to work.
>>
>> And it seems to be fine now; no AVCs.
>>
>> -Robin
>>
>>
>> On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
>>> OK, read that (again :), played around a bit. According to "sudo
>>> sesearch -T -t sendmail_exec_t":
>>>
>>> type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
>>>
>>> but there's no similar one for any of the other httpd script
>>> transitions. I suppose I should try marking it with
>>> httpd_sys_script_t and see how it goes.
>>>
>>> -Robin
>>>
>>> On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
>>>> Hi Robin,
>>>>
>>>> I can't really answer your questions about what you should do, but
>>>> I wanted to provide a link that shows why httpd_user_script_t is
>>>> not transitioning to sendmail_t.
>>>>
>>>> http://danwalsh.livejournal.com/23944.html
>>>>
>>>> Jason
>>>>
>>>> On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
>>>> <rlpowell at digitalkingdom.org> wrote:
>>>>> (Background: My SELinux hosts are all F15, fairly base installation,
>>>>> with the unconfined module disabled)
>>>>>
>>>>> I have a host that is for random hackery, and hence is (or at least
>>>>> is allowed to be) less secure than the others.
>>>>>
>>>>> I have a user who made a CGI (running under apache; python, in case
>>>>> that matters) that pulls things from elsewhere on the web and then
>>>>> sends email with the results.
>>>>>
>>>>> This generates a pretty large number of AVC denials, which I suppose
>>>>> is reasonable since that behaviour looks an awful lot like "I just
>>>>> got hijacked and am now being used for spam distribution".
>>>>>
>>>>> One thing I was genuinely surprised by though is that the
>>>>> mail-related denials all came in for httpd_user_script_t , rather
>>>>> than sendmail_t or something, and that no attempt to transition to
>>>>> sendmail_t seems to have occured or been denied or anything, as I'd
>>>>> have expected (it sends mail with /bin/mail ).
>>>>>
>>>>> FWIW, here's the AVCs:
>>>>>
>>>>> http://fpaste.org/ZyHg/ (uses date from the input form only)
>>>>>
>>>>> http://fpaste.org/M9Fq/ (goes out and talks to another website)
>>>>>
>>>>> I've learned a lot about SELinux recently, but it's all been
>>>>> piecemeal, so this is more of a "what's the right thing?" question
>>>>> designed to for me to learn from more than "what's the fastest way
>>>>> to fix this?".
>>>>>
>>>>> So, what's the right way to handle this situation?
>>>>>
>>>>> httpd_user_script_exec_t doesn't do the trick at all (which is
>>>>> probably good since it turns out user_u can set that with chcon,
>>>>> which I didn't expect).
>>>>>
>>>>> Is there some way without installing a module (i.e. with semanage or
>>>>> similar) to indicate to SELinux "Yeah, this script over here? It
>>>>> can talk to the web" (or "send email")?
>>>>>
>>>>> Is there a way to indicate that system-wide without installing a
>>>>> module? (not that I would, just curious)
>>>>>
>>>>> If doing it via module, it's best to create a bobs_script_exec_t and
>>>>> bobs_script_t and do everything for those types, rather than
>>>>> httpd_user_script_exec_t and friends, right? This means that a user
>>>>> making a non-trivial CGI has to come talk to me, which is a tad
>>>>> unfortunate but not horrible.
>>>>>
>>>>> Thanks for all enlightenment here, and please feel free to go the
>>>>> "you're thinking about it wrong" route; I'm really wanting to learn.
>>>>>
>>>>> -Robin
>>>>>
>>>>> --
>>>>> http://singinst.org/ : Our last, best hope for a fantastic future.
>>>>> Lojban (http://www.lojban.org/): The language in which "this parrot
>>>>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>>>>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --
>>> http://singinst.org/ : Our last, best hope for a fantastic future.
>>> Lojban (http://www.lojban.org/): The language in which "this parrot
>>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> --
>> http://singinst.org/ : Our last, best hope for a fantastic future.
>> Lojban (http://www.lojban.org/): The language in which "this parrot
>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list