Domains, interpreted languages, and Cron scripts
Colin Walters
walters at redhat.com
Sun Aug 15 06:03:35 UTC 2004
On Sat, 2004-08-14 at 12:40 -0700, Bill McCarty wrote:
> I've run into an architectural headache that someone else must already have
> visited, and perhaps solved. But, I find no mention of the problem in list
> archives or elsewhere.
Actually I think this is the same problem as the "crond/mailman" thread
just above :)
> I have several Python scripts that run under Cron. Some of these scripts
> access or modify sensitive data, and so I'd like to define one or more
> domains by means of which to limit their privileges.
Definitely possible.
> However, the exe name
> associated with such scripts is /usr/bin/python2.3, rather than the name of
> the script.
You mean that you see exe=/usr/bin/python2.3 in the audit logs? That's
just a side effect of the way the kernel interprets the #! header and
executes the script, it doesn't mean all python scripts have to run in
the same domain.
> Consistent with the principle of least privilege, I'd prefer to
> define distinct domains for each script, rather than an overly broad
> python_t domain, for instance.
After creating your domain, just be sure that the context is set
correctly on the executable file, and that you execute it directly.
For example:
[root at monk root]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root at monk root]# cat /usr/local/bin/foo.py
#!/usr/bin/python2.3
import os
os.system("id")
[root at monk root]# ls -alZ /usr/local/bin/foo.py
-rwxr-xr-x+ root root root:object_r:bin_t /usr/local/bin/foo.py
[root at monk root]# /usr/local/bin/foo.py
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root at monk root]# chcon -t unconfined_exec_t /usr/local/bin/foo.py
[root at monk root]# ls -alZ /usr/local/bin/foo.py
-rwxr-xr-x+ root root root:object_r:unconfined_exec_t /usr/local/bin/foo.py
[root at monk root]# /usr/local/bin/foo.py
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:unconfined_t
You can see from the above that when I originally executed the script, I
remained in the security context root:sysadm_r:sysadm_t. That's because
the script had the bin_t type, and there is no transition. However,
when I changed the type of the script to unconfined_exec_t, this caused
a transition to root:sysadm_r:unconfined_t (note the different type).
So what you would do is create your own domain foo_script_t, and just
do:
chcon -t foo_script_t /path/to/script
Does that make sense?
> One idea: Would it be a good thing to modify Run-parts to transition to a
> domain named for the Cron script it launches? Doing so would seem to solve
> my problem, but it might create others <g>.
I don't think it's necessary to modify run-parts. Instead, inside the
definition of your foo_script.te file, do something like:
ifdef(`crond.te', `
system_crond_entry(foo_script_exec_t, foo_script_t)
')
system_crond_entry is a macro that causes the transition to happen
automatically.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040815/d15544a9/attachment.sig>
More information about the fedora-selinux-list
mailing list