Bug 182673

Ok start by doing 

chcon -R -t httpd_sys_content_t /usr/share/w3c-markup-validator
chcon -R -t httpd_sys_script_exec_t /usr/share/w3c-markup-validator/cgi-bin

Then run in permissive mode and collect the AVC messages. 
We could write a special policy for /usr/share/w3c-markup-validator/check
if it needs a lot more privs then a normal cgi script.

Created attachment 125201 [details]
audit.log excerpt

Ok, here goes.	Some things worth noting:

The validator uses a template system and currently tries to write the
precompiled templates to /tmp/validator/[...], that's where those paths in the
log are from.  I'm not 100% sure if that's the best place for them, maybe
/var/cache/w3c-markup-validator would be better.

The log contains a few usual validator requests from URLs, some for uploaded
files, and one in the end for a document that triggers the need for onsgmls to
fetch a DTD from the net.

Ok I think we are most of the way there, but We probably should build a new
policy for it.

Created attachment 125210 [details]
Te file for new policy

Te file

Created attachment 125211 [details]
File context file

File context

Created attachment 125212 [details]
Interface file

interface file

If you extract these three packages into a directory and then execute

make -f /usr/share/selinux/devel/Makefile

It will build a w3c.pp file

You can then load the file into policy using

semodule -i w3c.pp

Now relabel the directories

restorecon -R -v /usr/share/w3c-markup-validator

RUn in permissive mode and collect AVCs.

You can then use audit2allow -R -i /var/log/audit/audit.log 

to generate policy for w3c and add these to the te file and 
repeat make and semodule command.

Hmm, what am I missing:

$ make -f /usr/share/selinux/devel/Makefile
Compliling devel w3c module
/usr/bin/checkmodule:  loading policy configuration from tmp/w3c.tmp
w3c.te:3:ERROR 'attribute httpdcontent is not declared' at token ';' on line 39427:
#line 3
        type httpd_w3c_content_t, httpdcontent; # customizable
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/w3c.mod] Error 1

Yea, sorry about that.  You need to update to 

policy-2.2.21-8

on ftp://people.redhat.com/dwalsh/SELinux/Fedora

Ok, updated selinux-policy and selinux-policy-targeted, got w3c.pp generated and
managed to load it.  But audit2allow barfs:

audit2allow -R -i /var/log/audit/audit.log
/usr/bin/audit2allow: Reference policy generation requires the policy
development package.
[Errno 2] No such file or directory:
'/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt'

selinux-policy-devel doesn't seem to exist any more for 2.2.21-8, so I'm unsure
what is the package I need to install.

The policycoreutils package has also been updated

you need 1.29.26-2 which is in Rawhide, or you can grab it off of people.

I already have (and had) 1.29.26-2 installed from Rawhide.

Created attachment 125260 [details]
WIP w3c.te

Ok, here's my latest w3c.te.  I suppose this still needs some tightening up.

Created attachment 129265 [details]
Current w3c.fc

I've worked some more on this, and I now have something that is pretty close. 
Here's the *.fc, the *.te will follow shortly.

Remaining issues:

1) Caching of precompiled templates: I'll just turn that feature off.

2) On the first validation, no matter what gets validated, I see this:
May 16 23:06:09 viper kernel: audit(1147809969.648:44): avc:  denied  { read }
for  pid=14876 comm="check" scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

No ideas where that comes from.  Thoughts?

3) Even with the ftp_port things uncommented in the soon-to-be-upped w3c.te, I
see this for FTP validations:
May 16 23:06:29 viper kernel: audit(1147809989.825:45): avc:  denied  {
name_connect } for  pid=14889 comm="check" dest=7654
scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
May 16 23:06:29 viper kernel: audit(1147809989.825:46): avc:  denied  {
send_msg } for	pid=14889 comm="check" saddr=192.168.2.5 src=57424
daddr=193.166.3.2 dest=7654 netif=wlan0
scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
May 16 23:06:29 viper kernel: audit(1147809989.841:47): avc:  denied  {
recv_msg } for	saddr=193.166.3.2 src=7654 daddr=192.168.2.5 dest=57424
netif=wlan0 scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

I wonder what should I do to get rid of those?	If it's hard to do, I'm willing
to just leave FTP out from the policy module, HTTP and HTTPS are by far the
most used ones anyway.

Created attachment 129267 [details]
Current w3c.te

Here's the *.te.  Notes:
- Plain corenet_tcp_connect_*_port doesn't seem to be enough, I needed to add
the corresponding sendrecv.
- miscfiles_read_certs is required for SSL/TLS validations

By the way, "w3c" sounds like a too generic name for this policy, there's a
*lot* of different web apps available from W3C with differing functionality and
requirements.  Are there any suggested naming conventions/constraints for the
modules?  Would "w3c-validator" work?

Sure.  We don't have any naming conventions yet.  I attempt to match the rpm
file and it is prefered lower case.  Have you tried to get your policy accepted
upstream?

Dan

Not yet, as there are some TODOs, see comment 14, issues 2) and 3) (any thoughts
on those?).  Additionally, I think I'll wait a bit before trying to push this
upstream because a new release of the validator is in the pipeline and it might
change things somewhat.

Hm, comment 17 had some unanswered questions; "CLOSED NOTABUG" without a comment
implies this is not the place to ask them.  What would be?

Sorry, I was just going through cleaning up a bunch of old bugs.  Lets take the
is to email.  Since w3c is now part of extras I want to add policy for it.

How do you test/run it?