FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-03-2011, 05:42 AM
Robin Lee Powell
 
Default Right way to do CGI that does complicated things?

OK, between that (thanks Jason) and a friend's reminder to read "man
httpd_selinux", I think I've got a decent solution worked out:

Script is httpd_sys_script_exec_t , which gives it sendmail perms.

The data files are public_content_rw_t (so the user can set it
themselves; I could do httpd_sys_rw_content_t, but then I'd have to
set it).

setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
public_content_rw_t to work.

And it seems to be fine now; no AVCs.

-Robin


On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
> OK, read that (again , played around a bit. According to "sudo
> sesearch -T -t sendmail_exec_t":
>
> type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
>
> but there's no similar one for any of the other httpd script
> transitions. I suppose I should try marking it with
> httpd_sys_script_t and see how it goes.
>
> -Robin
>
> On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
> > Hi Robin,
> >
> > I can't really answer your questions about what you should do, but
> > I wanted to provide a link that shows why httpd_user_script_t is
> > not transitioning to sendmail_t.
> >
> > http://danwalsh.livejournal.com/23944.html
> >
> > Jason
> >
> > On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
> > <rlpowell@digitalkingdom.org> wrote:
> > >
> > > (Background: My SELinux hosts are all F15, fairly base installation,
> > > with the unconfined module disabled)
> > >
> > > I have a host that is for random hackery, and hence is (or at least
> > > is allowed to be) less secure than the others.
> > >
> > > I have a user who made a CGI (running under apache; python, in case
> > > that matters) that pulls things from elsewhere on the web and then
> > > sends email with the results.
> > >
> > > This generates a pretty large number of AVC denials, which I suppose
> > > is reasonable since that behaviour looks an awful lot like "I just
> > > got hijacked and am now being used for spam distribution".
> > >
> > > One thing I was genuinely surprised by though is that the
> > > mail-related denials all came in for httpd_user_script_t , rather
> > > than sendmail_t or something, and that no attempt to transition to
> > > sendmail_t seems to have occured or been denied or anything, as I'd
> > > have expected (it sends mail with /bin/mail ).
> > >
> > > FWIW, here's the AVCs:
> > >
> > > http://fpaste.org/ZyHg/ *(uses date from the input form only)
> > >
> > > http://fpaste.org/M9Fq/ *(goes out and talks to another website)
> > >
> > > I've learned a lot about SELinux recently, but it's all been
> > > piecemeal, so this is more of a "what's the right thing?" question
> > > designed to for me to learn from more than "what's the fastest way
> > > to fix this?".
> > >
> > > So, what's the right way to handle this situation?
> > >
> > > httpd_user_script_exec_t doesn't do the trick at all (which is
> > > probably good since it turns out user_u can set that with chcon,
> > > which I didn't expect).
> > >
> > > Is there some way without installing a module (i.e. with semanage or
> > > similar) to indicate to SELinux "Yeah, this script over here? *It
> > > can talk to the web" (or "send email")?
> > >
> > > Is there a way to indicate that system-wide without installing a
> > > module? *(not that I would, just curious)
> > >
> > > If doing it via module, it's best to create a bobs_script_exec_t and
> > > bobs_script_t and do everything for those types, rather than
> > > httpd_user_script_exec_t and friends, right? *This means that a user
> > > making a non-trivial CGI has to come talk to me, which is a tad
> > > unfortunate but not horrible.
> > >
> > > Thanks for all enlightenment here, and please feel free to go the
> > > "you're thinking about it wrong" route; I'm really wanting to learn.
> > >
> > > -Robin
> > >
> > > --
> > > http://singinst.org/ : *Our last, best hope for a fantastic future.
> > > Lojban (http://www.lojban.org/): The language in which "this parrot
> > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > > is "na nei". * My personal page: http://www.digitalkingdom.org/rlp/
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> http://singinst.org/ : Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org