Right way to do CGI that does complicated things?

Daniel J Walsh dwalsh at redhat.com
Tue Sep 6 14:20:26 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/02/2011 07:33 PM, Robin Lee Powell wrote:
> 
> (Background: My SELinux hosts are all F15, fairly base
> installation, with the unconfined module disabled)
> 
> I have a host that is for random hackery, and hence is (or at
> least is allowed to be) less secure than the others.
> 
> I have a user who made a CGI (running under apache; python, in
> case that matters) that pulls things from elsewhere on the web and
> then sends email with the results.
> 
> This generates a pretty large number of AVC denials, which I
> suppose is reasonable since that behaviour looks an awful lot like
> "I just got hijacked and am now being used for spam distribution".
> 
> One thing I was genuinely surprised by though is that the 
> mail-related denials all came in for httpd_user_script_t , rather 
> than sendmail_t or something, and that no attempt to transition to 
> sendmail_t seems to have occured or been denied or anything, as
> I'd have expected (it sends mail with /bin/mail ).
> 
> FWIW, here's the AVCs:
> 
> http://fpaste.org/ZyHg/  (uses date from the input form only)
> 
> http://fpaste.org/M9Fq/  (goes out and talks to another website)
> 
> I've learned a lot about SELinux recently, but it's all been 
> piecemeal, so this is more of a "what's the right thing?" question 
> designed to for me to learn from more than "what's the fastest way 
> to fix this?".
> 
> So, what's the right way to handle this situation?
> 
> httpd_user_script_exec_t doesn't do the trick at all (which is 
> probably good since it turns out user_u can set that with chcon, 
> which I didn't expect).
> 
> Is there some way without installing a module (i.e. with semanage
> or similar) to indicate to SELinux "Yeah, this script over here?
> It can talk to the web" (or "send email")?
> 
> Is there a way to indicate that system-wide without installing a 
> module?  (not that I would, just curious)
> 
> If doing it via module, it's best to create a bobs_script_exec_t
> and bobs_script_t and do everything for those types, rather than 
> httpd_user_script_exec_t and friends, right?  This means that a
> user making a non-trivial CGI has to come talk to me, which is a
> tad unfortunate but not horrible.
> 
> Thanks for all enlightenment here, and please feel free to go the 
> "you're thinking about it wrong" route; I'm really wanting to
> learn.
> 
> -Robin
> 


If you are going to want users to be able to send mail via cgi
scripts, you will need to add policy for this.

Something like

mta_send_mail(httpd_user_script_t)

Should solve that problem.

Changing the label of the users directories to httpd_sys_script_exec_t
would change the cgi to run as httpd_sys_script_t which gives them
more privs.

Another boolean you might want to turn on would be httpd_unified.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mLCoACgkQrlYvE4MpobMn7gCdG4lV284tv4/gznR7ylN2Nevc
3cYAn11VASyKdgt2UKAJNjy7Vk6u1S/b
=fYmY
-----END PGP SIGNATURE-----

More information about the selinux mailing list