FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-02-2011, 11:33 PM
Robin Lee Powell
 
Default Right way to do CGI that does complicated things?

(Background: My SELinux hosts are all F15, fairly base installation,
with the unconfined module disabled)

I have a host that is for random hackery, and hence is (or at least
is allowed to be) less secure than the others.

I have a user who made a CGI (running under apache; python, in case
that matters) that pulls things from elsewhere on the web and then
sends email with the results.

This generates a pretty large number of AVC denials, which I suppose
is reasonable since that behaviour looks an awful lot like "I just
got hijacked and am now being used for spam distribution".

One thing I was genuinely surprised by though is that the
mail-related denials all came in for httpd_user_script_t , rather
than sendmail_t or something, and that no attempt to transition to
sendmail_t seems to have occured or been denied or anything, as I'd
have expected (it sends mail with /bin/mail ).

FWIW, here's the AVCs:

http://fpaste.org/ZyHg/ (uses date from the input form only)

http://fpaste.org/M9Fq/ (goes out and talks to another website)

I've learned a lot about SELinux recently, but it's all been
piecemeal, so this is more of a "what's the right thing?" question
designed to for me to learn from more than "what's the fastest way
to fix this?".

So, what's the right way to handle this situation?

httpd_user_script_exec_t doesn't do the trick at all (which is
probably good since it turns out user_u can set that with chcon,
which I didn't expect).

Is there some way without installing a module (i.e. with semanage or
similar) to indicate to SELinux "Yeah, this script over here? It
can talk to the web" (or "send email")?

Is there a way to indicate that system-wide without installing a
module? (not that I would, just curious)

If doing it via module, it's best to create a bobs_script_exec_t and
bobs_script_t and do everything for those types, rather than
httpd_user_script_exec_t and friends, right? This means that a user
making a non-trivial CGI has to come talk to me, which is a tad
unfortunate but not horrible.

Thanks for all enlightenment here, and please feel free to go the
"you're thinking about it wrong" route; I'm really wanting to learn.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-02-2011, 11:50 PM
Jason Axelson
 
Default Right way to do CGI that does complicated things?

Hi Robin,

I can't really answer your questions about what you should do, but I
wanted to provide a link that shows why httpd_user_script_t is not
transitioning to sendmail_t.

http://danwalsh.livejournal.com/23944.html

Jason

On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
<rlpowell@digitalkingdom.org> wrote:
>
> (Background: My SELinux hosts are all F15, fairly base installation,
> with the unconfined module disabled)
>
> I have a host that is for random hackery, and hence is (or at least
> is allowed to be) less secure than the others.
>
> I have a user who made a CGI (running under apache; python, in case
> that matters) that pulls things from elsewhere on the web and then
> sends email with the results.
>
> This generates a pretty large number of AVC denials, which I suppose
> is reasonable since that behaviour looks an awful lot like "I just
> got hijacked and am now being used for spam distribution".
>
> One thing I was genuinely surprised by though is that the
> mail-related denials all came in for httpd_user_script_t , rather
> than sendmail_t or something, and that no attempt to transition to
> sendmail_t seems to have occured or been denied or anything, as I'd
> have expected (it sends mail with /bin/mail ).
>
> FWIW, here's the AVCs:
>
> http://fpaste.org/ZyHg/ *(uses date from the input form only)
>
> http://fpaste.org/M9Fq/ *(goes out and talks to another website)
>
> I've learned a lot about SELinux recently, but it's all been
> piecemeal, so this is more of a "what's the right thing?" question
> designed to for me to learn from more than "what's the fastest way
> to fix this?".
>
> So, what's the right way to handle this situation?
>
> httpd_user_script_exec_t doesn't do the trick at all (which is
> probably good since it turns out user_u can set that with chcon,
> which I didn't expect).
>
> Is there some way without installing a module (i.e. with semanage or
> similar) to indicate to SELinux "Yeah, this script over here? *It
> can talk to the web" (or "send email")?
>
> Is there a way to indicate that system-wide without installing a
> module? *(not that I would, just curious)
>
> If doing it via module, it's best to create a bobs_script_exec_t and
> bobs_script_t and do everything for those types, rather than
> httpd_user_script_exec_t and friends, right? *This means that a user
> making a non-trivial CGI has to come talk to me, which is a tad
> unfortunate but not horrible.
>
> Thanks for all enlightenment here, and please feel free to go the
> "you're thinking about it wrong" route; I'm really wanting to learn.
>
> -Robin
>
> --
> http://singinst.org/ : *Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei". * My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-03-2011, 05:17 AM
Robin Lee Powell
 
Default Right way to do CGI that does complicated things?

OK, read that (again , played around a bit. According to "sudo
sesearch -T -t sendmail_exec_t":

type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;

but there's no similar one for any of the other httpd script
transitions. I suppose I should try marking it with
httpd_sys_script_t and see how it goes.

-Robin

On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
> Hi Robin,
>
> I can't really answer your questions about what you should do, but
> I wanted to provide a link that shows why httpd_user_script_t is
> not transitioning to sendmail_t.
>
> http://danwalsh.livejournal.com/23944.html
>
> Jason
>
> On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
> <rlpowell@digitalkingdom.org> wrote:
> >
> > (Background: My SELinux hosts are all F15, fairly base installation,
> > with the unconfined module disabled)
> >
> > I have a host that is for random hackery, and hence is (or at least
> > is allowed to be) less secure than the others.
> >
> > I have a user who made a CGI (running under apache; python, in case
> > that matters) that pulls things from elsewhere on the web and then
> > sends email with the results.
> >
> > This generates a pretty large number of AVC denials, which I suppose
> > is reasonable since that behaviour looks an awful lot like "I just
> > got hijacked and am now being used for spam distribution".
> >
> > One thing I was genuinely surprised by though is that the
> > mail-related denials all came in for httpd_user_script_t , rather
> > than sendmail_t or something, and that no attempt to transition to
> > sendmail_t seems to have occured or been denied or anything, as I'd
> > have expected (it sends mail with /bin/mail ).
> >
> > FWIW, here's the AVCs:
> >
> > http://fpaste.org/ZyHg/ *(uses date from the input form only)
> >
> > http://fpaste.org/M9Fq/ *(goes out and talks to another website)
> >
> > I've learned a lot about SELinux recently, but it's all been
> > piecemeal, so this is more of a "what's the right thing?" question
> > designed to for me to learn from more than "what's the fastest way
> > to fix this?".
> >
> > So, what's the right way to handle this situation?
> >
> > httpd_user_script_exec_t doesn't do the trick at all (which is
> > probably good since it turns out user_u can set that with chcon,
> > which I didn't expect).
> >
> > Is there some way without installing a module (i.e. with semanage or
> > similar) to indicate to SELinux "Yeah, this script over here? *It
> > can talk to the web" (or "send email")?
> >
> > Is there a way to indicate that system-wide without installing a
> > module? *(not that I would, just curious)
> >
> > If doing it via module, it's best to create a bobs_script_exec_t and
> > bobs_script_t and do everything for those types, rather than
> > httpd_user_script_exec_t and friends, right? *This means that a user
> > making a non-trivial CGI has to come talk to me, which is a tad
> > unfortunate but not horrible.
> >
> > Thanks for all enlightenment here, and please feel free to go the
> > "you're thinking about it wrong" route; I'm really wanting to learn.
> >
> > -Robin
> >
> > --
> > http://singinst.org/ : *Our last, best hope for a fantastic future.
> > Lojban (http://www.lojban.org/): The language in which "this parrot
> > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > is "na nei". * My personal page: http://www.digitalkingdom.org/rlp/
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:20 PM
Daniel J Walsh
 
Default Right way to do CGI that does complicated things?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/02/2011 07:33 PM, Robin Lee Powell wrote:
>
> (Background: My SELinux hosts are all F15, fairly base
> installation, with the unconfined module disabled)
>
> I have a host that is for random hackery, and hence is (or at
> least is allowed to be) less secure than the others.
>
> I have a user who made a CGI (running under apache; python, in
> case that matters) that pulls things from elsewhere on the web and
> then sends email with the results.
>
> This generates a pretty large number of AVC denials, which I
> suppose is reasonable since that behaviour looks an awful lot like
> "I just got hijacked and am now being used for spam distribution".
>
> One thing I was genuinely surprised by though is that the
> mail-related denials all came in for httpd_user_script_t , rather
> than sendmail_t or something, and that no attempt to transition to
> sendmail_t seems to have occured or been denied or anything, as
> I'd have expected (it sends mail with /bin/mail ).
>
> FWIW, here's the AVCs:
>
> http://fpaste.org/ZyHg/ (uses date from the input form only)
>
> http://fpaste.org/M9Fq/ (goes out and talks to another website)
>
> I've learned a lot about SELinux recently, but it's all been
> piecemeal, so this is more of a "what's the right thing?" question
> designed to for me to learn from more than "what's the fastest way
> to fix this?".
>
> So, what's the right way to handle this situation?
>
> httpd_user_script_exec_t doesn't do the trick at all (which is
> probably good since it turns out user_u can set that with chcon,
> which I didn't expect).
>
> Is there some way without installing a module (i.e. with semanage
> or similar) to indicate to SELinux "Yeah, this script over here?
> It can talk to the web" (or "send email")?
>
> Is there a way to indicate that system-wide without installing a
> module? (not that I would, just curious)
>
> If doing it via module, it's best to create a bobs_script_exec_t
> and bobs_script_t and do everything for those types, rather than
> httpd_user_script_exec_t and friends, right? This means that a
> user making a non-trivial CGI has to come talk to me, which is a
> tad unfortunate but not horrible.
>
> Thanks for all enlightenment here, and please feel free to go the
> "you're thinking about it wrong" route; I'm really wanting to
> learn.
>
> -Robin
>


If you are going to want users to be able to send mail via cgi
scripts, you will need to add policy for this.

Something like

mta_send_mail(httpd_user_script_t)

Should solve that problem.

Changing the label of the users directories to httpd_sys_script_exec_t
would change the cgi to run as httpd_sys_script_t which gives them
more privs.

Another boolean you might want to turn on would be httpd_unified.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mLCoACgkQrlYvE4MpobMn7gCdG4lV284tv4/gznR7ylN2Nevc
3cYAn11VASyKdgt2UKAJNjy7Vk6u1S/b
=fYmY
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-07-2011, 01:47 AM
Robin Lee Powell
 
Default Right way to do CGI that does complicated things?

On Tue, Sep 06, 2011 at 10:20:26AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/02/2011 07:33 PM, Robin Lee Powell wrote:
> >
> > (Background: My SELinux hosts are all F15, fairly base
> > installation, with the unconfined module disabled)
> >
> > I have a host that is for random hackery, and hence is (or at
> > least is allowed to be) less secure than the others.
> >
> > I have a user who made a CGI (running under apache; python, in
> > case that matters) that pulls things from elsewhere on the web and
> > then sends email with the results.
> >
> > This generates a pretty large number of AVC denials, which I
> > suppose is reasonable since that behaviour looks an awful lot like
> > "I just got hijacked and am now being used for spam distribution".
> >
> > One thing I was genuinely surprised by though is that the
> > mail-related denials all came in for httpd_user_script_t , rather
> > than sendmail_t or something, and that no attempt to transition to
> > sendmail_t seems to have occured or been denied or anything, as
> > I'd have expected (it sends mail with /bin/mail ).
> >
> > FWIW, here's the AVCs:
> >
> > http://fpaste.org/ZyHg/ (uses date from the input form only)
> >
> > http://fpaste.org/M9Fq/ (goes out and talks to another website)
> >
> > I've learned a lot about SELinux recently, but it's all been
> > piecemeal, so this is more of a "what's the right thing?" question
> > designed to for me to learn from more than "what's the fastest way
> > to fix this?".
> >
> > So, what's the right way to handle this situation?
> >
> > httpd_user_script_exec_t doesn't do the trick at all (which is
> > probably good since it turns out user_u can set that with chcon,
> > which I didn't expect).
> >
> > Is there some way without installing a module (i.e. with semanage
> > or similar) to indicate to SELinux "Yeah, this script over here?
> > It can talk to the web" (or "send email")?
> >
> > Is there a way to indicate that system-wide without installing a
> > module? (not that I would, just curious)
> >
> > If doing it via module, it's best to create a bobs_script_exec_t
> > and bobs_script_t and do everything for those types, rather than
> > httpd_user_script_exec_t and friends, right? This means that a
> > user making a non-trivial CGI has to come talk to me, which is a
> > tad unfortunate but not horrible.
> >
> > Thanks for all enlightenment here, and please feel free to go the
> > "you're thinking about it wrong" route; I'm really wanting to
> > learn.
> >
> > -Robin
> >
>
>
> If you are going to want users to be able to send mail via cgi
> scripts, you will need to add policy for this.
>
> Something like
>
> mta_send_mail(httpd_user_script_t)
>
> Should solve that problem.
>
> Changing the label of the users directories to
> httpd_sys_script_exec_t would change the cgi to run as
> httpd_sys_script_t which gives them more privs.
>
> Another boolean you might want to turn on would be httpd_unified.

Thanks. dgrift suggested that httpd_unified would be bad, so I
ended up making a policy module for this script, which should be
pretty easy to repurpose for other semi-priviledged CGIs, so I'm
pasting here in case other people in the future end up finding this
thread.

It looks long-ish, but the vast majority is allowing the user to
manage the files.

-Robin

- ----------------------

policy_module(myrealcorpus, 1.0.0)

########################################
#
# Declarations
#

require {
type httpd_user_content_t;
type user_home_t;
type user_home_dir_t;
type tmp_t;
type user_t;
type user_tmp_t;
}

#============= lojban_corpus_t ==============

# Behave much like a CGI; creates the usual such types, httpd_corpus_script_t and friends
apache_content_template(corpus)

# Be able to send email
mta_send_mail( httpd_corpus_script_t )

# Interact with /tmp
files_manage_generic_tmp_files( httpd_corpus_script_t )
allow httpd_corpus_script_t tmp_t:dir manage_dir_perms;

# Talk to the internet
userdom_basic_networking( httpd_corpus_script_t )

# DNS lookup
sysnet_dns_name_resolve( httpd_corpus_script_t )

# File and directory access
list_dirs_pattern( httpd_corpus_script_t, httpd_user_content_t, httpd_user_content_t)
list_dirs_pattern( httpd_corpus_script_t, user_home_dir_t, user_home_dir_t)
read_files_pattern( httpd_corpus_script_t, user_home_t, user_home_t)
manage_dirs_pattern( httpd_corpus_script_t, user_tmp_t, user_tmp_t)
manage_files_pattern( httpd_corpus_script_t, user_tmp_t, user_tmp_t)

# Allowing normal users (i.e. user_t) to access the files in question, and to
# relabel things to these labels.
manage_dirs_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
manage_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
exec_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
relabel_dirs_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)
relabel_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t)

manage_dirs_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
manage_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
exec_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
relabel_dirs_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)
relabel_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t)

- ----------------------
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org