Qustion regarding: selinux / perl-cgi / iptables

Paul Howarth paul at city-fan.org
Mon Dec 3 12:09:51 UTC 2007 

Paul McAvoy wrote:
> Hi, I was wondering if anyone has information or can direct me to more
> details on the following:
> 
> I have been using a perl cgi script on a personal web-server of mine
> to control access to SSH.
> Essentially, it is a knock-knock system.  I would go to a specific URL
> with the cgi, enter some information, and the perl script would add my
> ip address to the allowed list for SSH in the fire-wall.
> 
> I have been working on learning the details with SElinux, and trying
> to come up with some rules to allow the script to work correctly.
> There appears to be some kind of conflict either related to the script
> itself, or being run through httpd and getting access to the IPTables
> command tools.
> 
> The CGI script (written in perl) is SUID root.
> Httpd runs the script.
> The script will run the iptables command line tools to examine the
> table (to see if the ip address is already allowed), and also to add a
> new ip address to the allowed list.
> 
> My current method of trying to create the appropriate policy is to
> continue testing the cgi-script, watching the audit log, and running
> audit2allow on the selected audit messages.
> 
> My current policy is:
> 
> ...
> require {
>        type modules_conf_t;
>        type modules_dep_t;
>        type sysctl_modprobe_t;
>        type boot_t;
>        type httpd_sys_script_t;
>        type modules_object_t;
>        class capability net_raw;
>        class dir { getattr search };
>        class file { read getattr };
>        class rawip_socket { getopt create };
> }
> 
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t boot_t:dir getattr;
> allow httpd_sys_script_t modules_conf_t:file { read getattr };
> allow httpd_sys_script_t modules_dep_t:file read;
> allow httpd_sys_script_t modules_object_t:dir search;
> allow httpd_sys_script_t self:capability net_raw;
> allow httpd_sys_script_t self:rawip_socket { getopt create };
> ...
> 
> So, my question boils down to this:
> (I'm running Fedora Core 7)
> Do I just continue running the audit2allow repeatedly to create a
> policy to do what I want?
> 
> Is there a better way to solve this problem?  I am concerned that just
> creating a policy to allow my script to run will create other more
> substantial holes.
> 
> I am also open to creating a tool to update my iptables some other
> way.  Maybe perl-cgi is not the best method?
> 
> Thanks in advance for any information!

The quickest fix for this is probably to relabel your script as 
httpd_unconfined_script_exec_t, which would run that particular script 
unconfined by SELinux without opening up all sorts of extra avenues for 
all the other scripts on your system.

Longer term I'd be inclined to write a specific policy for this script 
using the apache_content_template, but that's a bigger job.

Paul.

More information about the fedora-selinux-list mailing list