CGI Script permissions
Daniel J Walsh
dwalsh at redhat.com
Thu Jun 8 19:03:36 UTC 2006
Paul Howarth wrote:
> On Fri, 2006-05-26 at 14:18 -0400, Daniel J Walsh wrote:
>
>> Paul Howarth wrote:
>>
>>> I made something similar for my moin wiki running under mod_fcgid:
>>>
>>> te file:
>>>
>>> policy_module(apache, 0.2.1)
>>>
>>> require {
>>> type devpts_t;
>>> type httpd_t;
>>> type httpd_log_t;
>>> type httpd_sys_script_exec_t;
>>> type var_run_t;
>>> };
>>>
>>> # ==========================================================
>>> # Create and use httpd_fastcgi_script_t for mod_fcgid apps
>>> # ==========================================================
>>>
>>> apache_content_template(fastcgi)
>>> kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
>>>
>>> # Allow FastCGI applications to live alongside regular CGI apps
>>> allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir {
>>> search_dir_perms };
>>>
>>> # Allow FastCGI applications to listen for FastCGI requests on their
>>> # sockets and respond to them
>>> allow httpd_fastcgi_script_t httpd_t:unix_stream_socket {
>>> rw_stream_socket_perms };
>>>
>>> # FastCGI application doing something to the httpd error log
>>> dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
>>>
>>> # Not sure what this is doing (happens when fastcgi scripts start)
>>> dontaudit httpd_t devpts_t:chr_file ioctl;
>>>
>>> # mod_fcgid setting attr of its socket dir
>>> allow httpd_t var_run_t:dir setattr;
>>>
>> Why not create a context for its socket dir so you don't need this for
>> var_run?
>>
>
> The obvious type to use would really be httpd_var_run_t rather than
> creating a new type (comparing with other users of /var/run). In fact I
> think I tried that but it seemed worse than leaving it the default
> var_run_t and adding the one allow rule. What would you suggest?
>
>
What errors do you see?
We already have these rules in policy
allow httpd_t httpd_var_run_t:file create_file_perms;
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
allow httpd_t httpd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
Which should be able to handle this if you relabel the /var/run/XYZ dir.
>>> fc file:
>>>
>>> /srv/www/tips/cgi-bin/moin.fcgi --
>>> gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
>>> /var/www/tips/cgi-bin/moin.fcgi --
>>> gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
>>>
>>> Paul.
>>>
>> I think it might be a good idea to add this (fastcgi that is) policy to
>> base. Have you tried to submit it upstream?
>>
>
> Not yet; it probably needs more work to add further capabilities, as
> I've only use one application with FastCGI myself, and I can see that
> httpd_sys_script_t has far more capabilities that I've so far allowed to
> httpd_fastcgi_script_t. Perhaps there should be a interface that goes
> further than apache_content_template and adds capabilities needed by
> most server-side scripts (e.g. the kernel_read_kernel_sysctls from
> above), for use in developing custom types like httpd_fastcgi_script_t?
>
> Paul.
>
>
>
you could create an
apache_fastcgi_content_template in an if to do what you want.
Almost all httpd_sys_ rules are defined in apache_content_template
More information about the fedora-selinux-list
mailing list