FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-03-2011, 06:03 AM
Robin Lee Powell
 
Default Right way to do CGI that does complicated things?

The user can't manipulate the public_content_rw_t files from eir
own shell, though, which is not so great.

-Robin

On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote:
> OK, between that (thanks Jason) and a friend's reminder to read
> "man httpd_selinux", I think I've got a decent solution worked
> out:
>
> Script is httpd_sys_script_exec_t , which gives it sendmail perms.
>
> The data files are public_content_rw_t (so the user can set it
> themselves; I could do httpd_sys_rw_content_t, but then I'd have
> to set it).
>
> setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
> public_content_rw_t to work.
>
> And it seems to be fine now; no AVCs.
>
> -Robin
>
>
> On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
> > OK, read that (again , played around a bit. According to "sudo
> > sesearch -T -t sendmail_exec_t":
> >
> > type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
> >
> > but there's no similar one for any of the other httpd script
> > transitions. I suppose I should try marking it with
> > httpd_sys_script_t and see how it goes.
> >
> > -Robin
> >
> > On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
> > > Hi Robin,
> > >
> > > I can't really answer your questions about what you should do, but
> > > I wanted to provide a link that shows why httpd_user_script_t is
> > > not transitioning to sendmail_t.
> > >
> > > http://danwalsh.livejournal.com/23944.html
> > >
> > > Jason
> > >
> > > On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
> > > <rlpowell@digitalkingdom.org> wrote:
> > > >
> > > > (Background: My SELinux hosts are all F15, fairly base installation,
> > > > with the unconfined module disabled)
> > > >
> > > > I have a host that is for random hackery, and hence is (or at least
> > > > is allowed to be) less secure than the others.
> > > >
> > > > I have a user who made a CGI (running under apache; python, in case
> > > > that matters) that pulls things from elsewhere on the web and then
> > > > sends email with the results.
> > > >
> > > > This generates a pretty large number of AVC denials, which I suppose
> > > > is reasonable since that behaviour looks an awful lot like "I just
> > > > got hijacked and am now being used for spam distribution".
> > > >
> > > > One thing I was genuinely surprised by though is that the
> > > > mail-related denials all came in for httpd_user_script_t , rather
> > > > than sendmail_t or something, and that no attempt to transition to
> > > > sendmail_t seems to have occured or been denied or anything, as I'd
> > > > have expected (it sends mail with /bin/mail ).
> > > >
> > > > FWIW, here's the AVCs:
> > > >
> > > > http://fpaste.org/ZyHg/ *(uses date from the input form only)
> > > >
> > > > http://fpaste.org/M9Fq/ *(goes out and talks to another website)
> > > >
> > > > I've learned a lot about SELinux recently, but it's all been
> > > > piecemeal, so this is more of a "what's the right thing?" question
> > > > designed to for me to learn from more than "what's the fastest way
> > > > to fix this?".
> > > >
> > > > So, what's the right way to handle this situation?
> > > >
> > > > httpd_user_script_exec_t doesn't do the trick at all (which is
> > > > probably good since it turns out user_u can set that with chcon,
> > > > which I didn't expect).
> > > >
> > > > Is there some way without installing a module (i.e. with semanage or
> > > > similar) to indicate to SELinux "Yeah, this script over here? *It
> > > > can talk to the web" (or "send email")?
> > > >
> > > > Is there a way to indicate that system-wide without installing a
> > > > module? *(not that I would, just curious)
> > > >
> > > > If doing it via module, it's best to create a bobs_script_exec_t and
> > > > bobs_script_t and do everything for those types, rather than
> > > > httpd_user_script_exec_t and friends, right? *This means that a user
> > > > making a non-trivial CGI has to come talk to me, which is a tad
> > > > unfortunate but not horrible.
> > > >
> > > > Thanks for all enlightenment here, and please feel free to go the
> > > > "you're thinking about it wrong" route; I'm really wanting to learn.
> > > >
> > > > -Robin
> > > >
> > > > --
> > > > http://singinst.org/ : *Our last, best hope for a fantastic future.
> > > > Lojban (http://www.lojban.org/): The language in which "this parrot
> > > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > > > is "na nei". * My personal page: http://www.digitalkingdom.org/rlp/
> > > > --
> > > > selinux mailing list
> > > > selinux@lists.fedoraproject.org
> > > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > --
> > http://singinst.org/ : Our last, best hope for a fantastic future.
> > Lojban (http://www.lojban.org/): The language in which "this parrot
> > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> http://singinst.org/ : Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-05-2011, 01:04 PM
Miroslav Grepl
 
Default Right way to do CGI that does complicated things?

On 09/03/2011 06:03 AM, Robin Lee Powell wrote:
> The user can't manipulate the public_content_rw_t files from eir
> own shell, though, which is not so great.
Do you confine also users by SELinux?
> -Robin
>
> On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote:
>> OK, between that (thanks Jason) and a friend's reminder to read
>> "man httpd_selinux", I think I've got a decent solution worked
>> out:
>>
>> Script is httpd_sys_script_exec_t , which gives it sendmail perms.
>>
>> The data files are public_content_rw_t (so the user can set it
>> themselves; I could do httpd_sys_rw_content_t, but then I'd have
>> to set it).
>>
>> setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
>> public_content_rw_t to work.
>>
>> And it seems to be fine now; no AVCs.
>>
>> -Robin
>>
>>
>> On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
>>> OK, read that (again , played around a bit. According to "sudo
>>> sesearch -T -t sendmail_exec_t":
>>>
>>> type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
>>>
>>> but there's no similar one for any of the other httpd script
>>> transitions. I suppose I should try marking it with
>>> httpd_sys_script_t and see how it goes.
>>>
>>> -Robin
>>>
>>> On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
>>>> Hi Robin,
>>>>
>>>> I can't really answer your questions about what you should do, but
>>>> I wanted to provide a link that shows why httpd_user_script_t is
>>>> not transitioning to sendmail_t.
>>>>
>>>> http://danwalsh.livejournal.com/23944.html
>>>>
>>>> Jason
>>>>
>>>> On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
>>>> <rlpowell@digitalkingdom.org> wrote:
>>>>> (Background: My SELinux hosts are all F15, fairly base installation,
>>>>> with the unconfined module disabled)
>>>>>
>>>>> I have a host that is for random hackery, and hence is (or at least
>>>>> is allowed to be) less secure than the others.
>>>>>
>>>>> I have a user who made a CGI (running under apache; python, in case
>>>>> that matters) that pulls things from elsewhere on the web and then
>>>>> sends email with the results.
>>>>>
>>>>> This generates a pretty large number of AVC denials, which I suppose
>>>>> is reasonable since that behaviour looks an awful lot like "I just
>>>>> got hijacked and am now being used for spam distribution".
>>>>>
>>>>> One thing I was genuinely surprised by though is that the
>>>>> mail-related denials all came in for httpd_user_script_t , rather
>>>>> than sendmail_t or something, and that no attempt to transition to
>>>>> sendmail_t seems to have occured or been denied or anything, as I'd
>>>>> have expected (it sends mail with /bin/mail ).
>>>>>
>>>>> FWIW, here's the AVCs:
>>>>>
>>>>> http://fpaste.org/ZyHg/ (uses date from the input form only)
>>>>>
>>>>> http://fpaste.org/M9Fq/ (goes out and talks to another website)
>>>>>
>>>>> I've learned a lot about SELinux recently, but it's all been
>>>>> piecemeal, so this is more of a "what's the right thing?" question
>>>>> designed to for me to learn from more than "what's the fastest way
>>>>> to fix this?".
>>>>>
>>>>> So, what's the right way to handle this situation?
>>>>>
>>>>> httpd_user_script_exec_t doesn't do the trick at all (which is
>>>>> probably good since it turns out user_u can set that with chcon,
>>>>> which I didn't expect).
>>>>>
>>>>> Is there some way without installing a module (i.e. with semanage or
>>>>> similar) to indicate to SELinux "Yeah, this script over here? It
>>>>> can talk to the web" (or "send email")?
>>>>>
>>>>> Is there a way to indicate that system-wide without installing a
>>>>> module? (not that I would, just curious)
>>>>>
>>>>> If doing it via module, it's best to create a bobs_script_exec_t and
>>>>> bobs_script_t and do everything for those types, rather than
>>>>> httpd_user_script_exec_t and friends, right? This means that a user
>>>>> making a non-trivial CGI has to come talk to me, which is a tad
>>>>> unfortunate but not horrible.
>>>>>
>>>>> Thanks for all enlightenment here, and please feel free to go the
>>>>> "you're thinking about it wrong" route; I'm really wanting to learn.
>>>>>
>>>>> -Robin
>>>>>
>>>>> --
>>>>> http://singinst.org/ : Our last, best hope for a fantastic future.
>>>>> Lojban (http://www.lojban.org/): The language in which "this parrot
>>>>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>>>>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --
>>> http://singinst.org/ : Our last, best hope for a fantastic future.
>>> Lojban (http://www.lojban.org/): The language in which "this parrot
>>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> --
>> http://singinst.org/ : Our last, best hope for a fantastic future.
>> Lojban (http://www.lojban.org/): The language in which "this parrot
>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org