Bug 448445
| Summary: | Policy has no boolean to allow httpd to allow execmem for CGI | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John D. Ramsdell <ramsdell> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 9 | ||||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-07-02 19:14:44 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
John D. Ramsdell
2008-05-26 22:40:15 UTC
Created attachment 306712 [details]
Policy to allow execmem for CGI scripts
I also notice that SELinux prevents tmpwatch (tmpreaper_t) "getattr" to /tmp/cgiapp.pid (httpd_sys_content_rw_t). The file /tmp/cgiapp.pid is a lock file created by a CGI script that ensures at most one copy of the big CGI program is running at any time. The program tmpwatch was trying to reap a lock file left over after a crash. I think allowing httpd_sys_script_t execmem calls for special policy, Either write a wrapper for your cgi or load a custom policy to allow all scripts to execmem. How did a httpd_sys_content_rw_t file get on /tmp? Looks like it was moved there. Need to either fix the label using chcon or remove it. Created attachment 310931 [details]
Script that creates /tmp file entry with type httpd_sys_content_rw_t
Thanks Dan. I'm ahead of you on the custom policy. The last release of my application included the custom policy attached to this bug report. The httpd_sys_content_rw_t file was created in /tmp by the CGI script. It's a lock file used to make only one copy of the program is running at a time. The SELinux policy determined the label. I've enclosed the shell script that wraps the a Python script that wraps the Haskell program. The shell script enforces the one-at-a-time rule. My point was to create a haskell cgi script versus just adding a boolean to
httpd_sys_script_t. Your method will allow all cgi scripts execmem, while if
you created httpd_haskell_script_t you would only allow it to scripts labeled
httpd_haskell_script_exec_t
Current policy has roles to allow tmpreaper to delete these files
sesearch --allow | grep tmpreaper | grep http
WARNING: This policy contained disabled aliases; they have been removed.
allow tmpreaper_t httpd_sys_content_rw_t : file { getattr unlink };
allow tmpreaper_t httpd_sys_content_rw_t : dir { ioctl write getattr lock
remove_name search rmdir };
allow tmpreaper_t httpd_sys_content_rw_t : lnk_file { getattr unlink };
allow tmpreaper_t httpd_sys_content_rw_t : sock_file { getattr unlink };
allow tmpreaper_t httpd_sys_content_rw_t : fifo_file { getattr unlink };
Your right. Your version of the policy is superior to mine. My desktop machine is within my company's firewalls, so I normally run Fedora on my desktop in permissive mode. I now have cause to use enforcing mode for a project unrelated to the one using the web server. The goal of the policy I wrote was to quickly enable work on the other project while preserving the desktop's ability to run my CGI scripts. I was not guided by the principle of least privilege. I found a reward when running in permissive mode without my policy module loaded. Whenever my CGI script runs, setroubleshoot alerts me to this fact. I learned to appreciate and use the realtime reports sent to me using an easy to use mechanism that required no setup. Since I can usually guess who's using the server, I know when to appear in that person's office, and be sure my program will be a good topic for discussion. These timely discussions have led to several improvements in the program. I bet this is a way of using setroubleshoot no one thought of beforehand! |