[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CGI Script permissions



Daniel J Walsh wrote:
Jochen Wiedmann wrote:
Paul Howarth wrote:

The simplest fix might be to change the file context of this particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.

The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).

Ideally it would be easy to create a subclass of CGI scripts and assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI scripts),
but that's beyond me at this moment.

As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.

Thanks very much,

Jochen

Another alternative might be to write your own module

Create three files

# cat  >> myapache.te  << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF

echo > myapache.if

# cat  >> myapache.te  << _EOF

That should be myapache.fc

/var/www/cgi-bin/myapache_script -- gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF

Then build a policy module.

make -f /usr/share/selinux/devel/Makefile

semodule -i myapache.pp

restorecon -F -v /var/www/cgi-bin/myapache_script

Then try it out. Of course you might need additional rules.

I made something similar for my moin wiki running under mod_fcgid:

te file:

policy_module(apache, 0.2.1)

require {
        type devpts_t;
        type httpd_t;
        type httpd_log_t;
        type httpd_sys_script_exec_t;
        type var_run_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;


fc file:

/srv/www/tips/cgi-bin/moin.fcgi -- gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0) /var/www/tips/cgi-bin/moin.fcgi -- gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]