[selinux] Re: Right way to do CGI that does complicated things?

Robin Lee Powell rlpowell at digitalkingdom.org
Wed Sep 7 01:47:26 UTC 2011 

On Tue, Sep 06, 2011 at 10:20:26AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/02/2011 07:33 PM, Robin Lee Powell wrote:
> > 
> > (Background: My SELinux hosts are all F15, fairly base
> > installation, with the unconfined module disabled)
> > 
> > I have a host that is for random hackery, and hence is (or at
> > least is allowed to be) less secure than the others.
> > 
> > I have a user who made a CGI (running under apache; python, in
> > case that matters) that pulls things from elsewhere on the web and
> > then sends email with the results.
> > 
> > This generates a pretty large number of AVC denials, which I
> > suppose is reasonable since that behaviour looks an awful lot like
> > "I just got hijacked and am now being used for spam distribution".
> > 
> > One thing I was genuinely surprised by though is that the 
> > mail-related denials all came in for httpd_user_script_t , rather 
> > than sendmail_t or something, and that no attempt to transition to 
> > sendmail_t seems to have occured or been denied or anything, as
> > I'd have expected (it sends mail with /bin/mail ).
> > 
> > FWIW, here's the AVCs:
> > 
> > http://fpaste.org/ZyHg/  (uses date from the input form only)
> > 
> > http://fpaste.org/M9Fq/  (goes out and talks to another website)
> > 
> > I've learned a lot about SELinux recently, but it's all been 
> > piecemeal, so this is more of a "what's the right thing?" question 
> > designed to for me to learn from more than "what's the fastest way 
> > to fix this?".
> > 
> > So, what's the right way to handle this situation?
> > 
> > httpd_user_script_exec_t doesn't do the trick at all (which is 
> > probably good since it turns out user_u can set that with chcon, 
> > which I didn't expect).
> > 
> > Is there some way without installing a module (i.e. with semanage
> > or similar) to indicate to SELinux "Yeah, this script over here?
> > It can talk to the web" (or "send email")?
> > 
> > Is there a way to indicate that system-wide without installing a 
> > module?  (not that I would, just curious)
> > 
> > If doing it via module, it's best to create a bobs_script_exec_t
> > and bobs_script_t and do everything for those types, rather than 
> > httpd_user_script_exec_t and friends, right?  This means that a
> > user making a non-trivial CGI has to come talk to me, which is a
> > tad unfortunate but not horrible.
> > 
> > Thanks for all enlightenment here, and please feel free to go the 
> > "you're thinking about it wrong" route; I'm really wanting to
> > learn.
> > 
> > -Robin
> > 
> 
> 
> If you are going to want users to be able to send mail via cgi
> scripts, you will need to add policy for this.
> 
> Something like
> 
> mta_send_mail(httpd_user_script_t)
> 
> Should solve that problem.
> 
> Changing the label of the users directories to
> httpd_sys_script_exec_t would change the cgi to run as
> httpd_sys_script_t which gives them more privs.
> 
> Another boolean you might want to turn on would be httpd_unified.

Thanks.  dgrift suggested that httpd_unified would be bad, so I
ended up making a policy module for this script, which should be
pretty easy to repurpose for other semi-priviledged CGIs, so I'm
pasting here in case other people in the future end up finding this
thread.

It looks long-ish, but the vast majority is allowing the user to
manage the files.

-Robin

- ----------------------

policy_module(myrealcorpus, 1.0.0)

########################################
#
# Declarations
#

require {
  type httpd_user_content_t;
  type user_home_t;
  type user_home_dir_t;
  type tmp_t;
  type user_t;
  type user_tmp_t;
}

#============= lojban_corpus_t ==============

# Behave much like a CGI; creates the usual such types, httpd_corpus_script_t and friends
apache_content_template(corpus)

# Be able to send email
mta_send_mail( httpd_corpus_script_t )

# Interact with /tmp
files_manage_generic_tmp_files( httpd_corpus_script_t )
allow httpd_corpus_script_t tmp_t:dir manage_dir_perms;

# Talk to the internet
userdom_basic_networking( httpd_corpus_script_t )

# DNS lookup
sysnet_dns_name_resolve( httpd_corpus_script_t )

# File and directory access
list_dirs_pattern(    httpd_corpus_script_t, httpd_user_content_t, httpd_user_content_t)
list_dirs_pattern(    httpd_corpus_script_t, user_home_dir_t, user_home_dir_t)
read_files_pattern(   httpd_corpus_script_t, user_home_t, user_home_t)
manage_dirs_pattern(  httpd_corpus_script_t, user_tmp_t, user_tmp_t)
manage_files_pattern( httpd_corpus_script_t, user_tmp_t, user_tmp_t)

# Allowing normal users (i.e. user_t) to access the files in question, and to
# relabel things to these labels.
manage_dirs_pattern(        user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
manage_files_pattern(       user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
exec_files_pattern(         user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
relabel_dirs_pattern(       user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
relabel_files_pattern(      user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)

manage_dirs_pattern(        user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
manage_files_pattern(       user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
exec_files_pattern(         user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
relabel_dirs_pattern(       user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
relabel_files_pattern(      user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)

- ----------------------

More information about the selinux mailing list