The w3c-markup-validator package is not currently shipped in Extras because of missing SELinux policy modifications for it (but the package is in CVS, check it out for more info). I cannot seem to find up to date documentation on the policies, so I'll just add the details here. - /usr/share/w3c-markup-validator/cgi-bin/* are CGI scripts and need to be able to read things from /etc/w3c and /usr/share/w3c-markup-validator - /usr/share/w3c-markup-validator/check additionally needs to be able to: - resolve hostnames (/etc/resolv.conf, DNS traffic (for Net::IP perl module)) - fetch documents from arbitrary URLs - invoke /usr/bin/onsgmls which: - needs to read stuff in /usr/share/sgml/w3c-markup-validator and most likely /etc/sgml and /etc/xml in the future as well as rest of /usr/share/sgml and /usr/share/xml - needs to be able to fetch stuff from arbitrary URLs (for resolving external entities, fetching DTDs etc) - /usr/share/w3c-markup-validator/{htdocs,share} should probably be usual httpd content
Ok start by doing chcon -R -t httpd_sys_content_t /usr/share/w3c-markup-validator chcon -R -t httpd_sys_script_exec_t /usr/share/w3c-markup-validator/cgi-bin Then run in permissive mode and collect the AVC messages. We could write a special policy for /usr/share/w3c-markup-validator/check if it needs a lot more privs then a normal cgi script.
Created attachment 125201 [details] audit.log excerpt Ok, here goes. Some things worth noting: The validator uses a template system and currently tries to write the precompiled templates to /tmp/validator/[...], that's where those paths in the log are from. I'm not 100% sure if that's the best place for them, maybe /var/cache/w3c-markup-validator would be better. The log contains a few usual validator requests from URLs, some for uploaded files, and one in the end for a document that triggers the need for onsgmls to fetch a DTD from the net.
Ok I think we are most of the way there, but We probably should build a new policy for it.
Created attachment 125210 [details] Te file for new policy Te file
Created attachment 125211 [details] File context file File context
Created attachment 125212 [details] Interface file interface file
If you extract these three packages into a directory and then execute make -f /usr/share/selinux/devel/Makefile It will build a w3c.pp file You can then load the file into policy using semodule -i w3c.pp Now relabel the directories restorecon -R -v /usr/share/w3c-markup-validator RUn in permissive mode and collect AVCs. You can then use audit2allow -R -i /var/log/audit/audit.log to generate policy for w3c and add these to the te file and repeat make and semodule command.
Hmm, what am I missing: $ make -f /usr/share/selinux/devel/Makefile Compliling devel w3c module /usr/bin/checkmodule: loading policy configuration from tmp/w3c.tmp w3c.te:3:ERROR 'attribute httpdcontent is not declared' at token ';' on line 39427: #line 3 type httpd_w3c_content_t, httpdcontent; # customizable /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/w3c.mod] Error 1
Yea, sorry about that. You need to update to policy-2.2.21-8 on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Ok, updated selinux-policy and selinux-policy-targeted, got w3c.pp generated and managed to load it. But audit2allow barfs: audit2allow -R -i /var/log/audit/audit.log /usr/bin/audit2allow: Reference policy generation requires the policy development package. [Errno 2] No such file or directory: '/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt' selinux-policy-devel doesn't seem to exist any more for 2.2.21-8, so I'm unsure what is the package I need to install.
The policycoreutils package has also been updated you need 1.29.26-2 which is in Rawhide, or you can grab it off of people.
I already have (and had) 1.29.26-2 installed from Rawhide.
Created attachment 125260 [details] WIP w3c.te Ok, here's my latest w3c.te. I suppose this still needs some tightening up.
Created attachment 129265 [details] Current w3c.fc I've worked some more on this, and I now have something that is pretty close. Here's the *.fc, the *.te will follow shortly. Remaining issues: 1) Caching of precompiled templates: I'll just turn that feature off. 2) On the first validation, no matter what gets validated, I see this: May 16 23:06:09 viper kernel: audit(1147809969.648:44): avc: denied { read } for pid=14876 comm="check" scontext=user_u:system_r:httpd_w3c_script_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file No ideas where that comes from. Thoughts? 3) Even with the ftp_port things uncommented in the soon-to-be-upped w3c.te, I see this for FTP validations: May 16 23:06:29 viper kernel: audit(1147809989.825:45): avc: denied { name_connect } for pid=14889 comm="check" dest=7654 scontext=user_u:system_r:httpd_w3c_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket May 16 23:06:29 viper kernel: audit(1147809989.825:46): avc: denied { send_msg } for pid=14889 comm="check" saddr=192.168.2.5 src=57424 daddr=193.166.3.2 dest=7654 netif=wlan0 scontext=user_u:system_r:httpd_w3c_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket May 16 23:06:29 viper kernel: audit(1147809989.841:47): avc: denied { recv_msg } for saddr=193.166.3.2 src=7654 daddr=192.168.2.5 dest=57424 netif=wlan0 scontext=user_u:system_r:httpd_w3c_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket I wonder what should I do to get rid of those? If it's hard to do, I'm willing to just leave FTP out from the policy module, HTTP and HTTPS are by far the most used ones anyway.
Created attachment 129267 [details] Current w3c.te Here's the *.te. Notes: - Plain corenet_tcp_connect_*_port doesn't seem to be enough, I needed to add the corresponding sendrecv. - miscfiles_read_certs is required for SSL/TLS validations By the way, "w3c" sounds like a too generic name for this policy, there's a *lot* of different web apps available from W3C with differing functionality and requirements. Are there any suggested naming conventions/constraints for the modules? Would "w3c-validator" work?
Sure. We don't have any naming conventions yet. I attempt to match the rpm file and it is prefered lower case. Have you tried to get your policy accepted upstream? Dan
Not yet, as there are some TODOs, see comment 14, issues 2) and 3) (any thoughts on those?). Additionally, I think I'll wait a bit before trying to push this upstream because a new release of the validator is in the pipeline and it might change things somewhat.
Hm, comment 17 had some unanswered questions; "CLOSED NOTABUG" without a comment implies this is not the place to ask them. What would be?
Sorry, I was just going through cleaning up a bunch of old bugs. Lets take the is to email. Since w3c is now part of extras I want to add policy for it. How do you test/run it?