Bug 182673 - Policy modifications needed for w3c-markup-validator
Policy modifications needed for w3c-markup-validator
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 149454
  Show dependency treegraph
 
Reported: 2006-02-23 17:26 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-10 15:04:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
audit.log excerpt (21.88 KB, text/plain)
2006-02-24 14:17 EST, Ville Skyttä
no flags Details
Te file for new policy (99 bytes, application/octet-stream)
2006-02-24 15:29 EST, Daniel Walsh
no flags Details
File context file (196 bytes, application/octet-stream)
2006-02-24 15:30 EST, Daniel Walsh
no flags Details
Interface file (20 bytes, application/octet-stream)
2006-02-24 15:33 EST, Daniel Walsh
no flags Details
WIP w3c.te (499 bytes, text/plain)
2006-02-25 16:27 EST, Ville Skyttä
no flags Details
Current w3c.fc (197 bytes, text/plain)
2006-05-16 16:06 EDT, Ville Skyttä
no flags Details
Current w3c.te (610 bytes, text/plain)
2006-05-16 16:10 EDT, Ville Skyttä
no flags Details

  None (edit)
Description Ville Skyttä 2006-02-23 17:26:13 EST
The w3c-markup-validator package is not currently shipped in Extras because of
missing SELinux policy modifications for it (but the package is in CVS, check it
out for more info).  I cannot seem to find up to date documentation on the
policies, so I'll just add the details here.

- /usr/share/w3c-markup-validator/cgi-bin/* are CGI scripts and need to be
  able to read things from /etc/w3c and /usr/share/w3c-markup-validator
- /usr/share/w3c-markup-validator/check additionally needs to be able to:
  - resolve hostnames (/etc/resolv.conf, DNS traffic (for Net::IP perl module))
  - fetch documents from arbitrary URLs
  - invoke /usr/bin/onsgmls which:
    - needs to read stuff in /usr/share/sgml/w3c-markup-validator and most 
      likely /etc/sgml and /etc/xml in the future as well as rest of
      /usr/share/sgml and /usr/share/xml
    - needs to be able to fetch stuff from arbitrary URLs (for resolving
      external entities, fetching DTDs etc)
- /usr/share/w3c-markup-validator/{htdocs,share} should probably be usual
  httpd content
Comment 1 Daniel Walsh 2006-02-24 08:44:01 EST
Ok start by doing 

chcon -R -t httpd_sys_content_t /usr/share/w3c-markup-validator
chcon -R -t httpd_sys_script_exec_t /usr/share/w3c-markup-validator/cgi-bin

Then run in permissive mode and collect the AVC messages. 
We could write a special policy for /usr/share/w3c-markup-validator/check
if it needs a lot more privs then a normal cgi script.
Comment 2 Ville Skyttä 2006-02-24 14:17:11 EST
Created attachment 125201 [details]
audit.log excerpt

Ok, here goes.	Some things worth noting:

The validator uses a template system and currently tries to write the
precompiled templates to /tmp/validator/[...], that's where those paths in the
log are from.  I'm not 100% sure if that's the best place for them, maybe
/var/cache/w3c-markup-validator would be better.

The log contains a few usual validator requests from URLs, some for uploaded
files, and one in the end for a document that triggers the need for onsgmls to
fetch a DTD from the net.
Comment 3 Daniel Walsh 2006-02-24 15:28:47 EST
Ok I think we are most of the way there, but We probably should build a new
policy for it.

Comment 4 Daniel Walsh 2006-02-24 15:29:40 EST
Created attachment 125210 [details]
Te file for new policy

Te file
Comment 5 Daniel Walsh 2006-02-24 15:30:27 EST
Created attachment 125211 [details]
File context file

File context
Comment 6 Daniel Walsh 2006-02-24 15:33:34 EST
Created attachment 125212 [details]
Interface file

interface file
Comment 7 Daniel Walsh 2006-02-24 15:37:27 EST
If you extract these three packages into a directory and then execute

make -f /usr/share/selinux/devel/Makefile

It will build a w3c.pp file

You can then load the file into policy using

semodule -i w3c.pp

Now relabel the directories

restorecon -R -v /usr/share/w3c-markup-validator

RUn in permissive mode and collect AVCs.

You can then use audit2allow -R -i /var/log/audit/audit.log 

to generate policy for w3c and add these to the te file and 
repeat make and semodule command.
Comment 8 Ville Skyttä 2006-02-24 16:29:09 EST
Hmm, what am I missing:

$ make -f /usr/share/selinux/devel/Makefile
Compliling devel w3c module
/usr/bin/checkmodule:  loading policy configuration from tmp/w3c.tmp
w3c.te:3:ERROR 'attribute httpdcontent is not declared' at token ';' on line 39427:
#line 3
        type httpd_w3c_content_t, httpdcontent; # customizable
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/w3c.mod] Error 1
Comment 9 Daniel Walsh 2006-02-24 16:38:48 EST
Yea, sorry about that.  You need to update to 

policy-2.2.21-8

on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Comment 10 Ville Skyttä 2006-02-24 19:12:46 EST
Ok, updated selinux-policy and selinux-policy-targeted, got w3c.pp generated and
managed to load it.  But audit2allow barfs:

audit2allow -R -i /var/log/audit/audit.log
/usr/bin/audit2allow: Reference policy generation requires the policy
development package.
[Errno 2] No such file or directory:
'/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt'

selinux-policy-devel doesn't seem to exist any more for 2.2.21-8, so I'm unsure
what is the package I need to install.
Comment 11 Daniel Walsh 2006-02-25 08:02:30 EST
The policycoreutils package has also been updated

you need 1.29.26-2 which is in Rawhide, or you can grab it off of people.
Comment 12 Ville Skyttä 2006-02-25 08:24:42 EST
I already have (and had) 1.29.26-2 installed from Rawhide.
Comment 13 Ville Skyttä 2006-02-25 16:27:19 EST
Created attachment 125260 [details]
WIP w3c.te

Ok, here's my latest w3c.te.  I suppose this still needs some tightening up.
Comment 14 Ville Skyttä 2006-05-16 16:06:21 EDT
Created attachment 129265 [details]
Current w3c.fc

I've worked some more on this, and I now have something that is pretty close. 
Here's the *.fc, the *.te will follow shortly.

Remaining issues:

1) Caching of precompiled templates: I'll just turn that feature off.

2) On the first validation, no matter what gets validated, I see this:
May 16 23:06:09 viper kernel: audit(1147809969.648:44): avc:  denied  { read }
for  pid=14876 comm="check" scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

No ideas where that comes from.  Thoughts?

3) Even with the ftp_port things uncommented in the soon-to-be-upped w3c.te, I
see this for FTP validations:
May 16 23:06:29 viper kernel: audit(1147809989.825:45): avc:  denied  {
name_connect } for  pid=14889 comm="check" dest=7654
scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
May 16 23:06:29 viper kernel: audit(1147809989.825:46): avc:  denied  {
send_msg } for	pid=14889 comm="check" saddr=192.168.2.5 src=57424
daddr=193.166.3.2 dest=7654 netif=wlan0
scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
May 16 23:06:29 viper kernel: audit(1147809989.841:47): avc:  denied  {
recv_msg } for	saddr=193.166.3.2 src=7654 daddr=192.168.2.5 dest=57424
netif=wlan0 scontext=user_u:system_r:httpd_w3c_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

I wonder what should I do to get rid of those?	If it's hard to do, I'm willing
to just leave FTP out from the policy module, HTTP and HTTPS are by far the
most used ones anyway.
Comment 15 Ville Skyttä 2006-05-16 16:10:13 EDT
Created attachment 129267 [details]
Current w3c.te

Here's the *.te.  Notes:
- Plain corenet_tcp_connect_*_port doesn't seem to be enough, I needed to add
the corresponding sendrecv.
- miscfiles_read_certs is required for SSL/TLS validations

By the way, "w3c" sounds like a too generic name for this policy, there's a
*lot* of different web apps available from W3C with differing functionality and
requirements.  Are there any suggested naming conventions/constraints for the
modules?  Would "w3c-validator" work?
Comment 16 Daniel Walsh 2006-05-23 16:32:49 EDT
Sure.  We don't have any naming conventions yet.  I attempt to match the rpm
file and it is prefered lower case.  Have you tried to get your policy accepted
upstream?

Dan
Comment 17 Ville Skyttä 2006-05-23 17:15:21 EDT
Not yet, as there are some TODOs, see comment 14, issues 2) and 3) (any thoughts
on those?).  Additionally, I think I'll wait a bit before trying to push this
upstream because a new release of the validator is in the pipeline and it might
change things somewhat.
Comment 18 Ville Skyttä 2007-04-10 15:14:35 EDT
Hm, comment 17 had some unanswered questions; "CLOSED NOTABUG" without a comment
implies this is not the place to ask them.  What would be?
Comment 19 Daniel Walsh 2007-04-10 15:48:05 EDT
Sorry, I was just going through cleaning up a bunch of old bugs.  Lets take the
is to email.  Since w3c is now part of extras I want to add policy for it.

How do you test/run it?

Note You need to log in before you can comment on or make changes to this bug.