fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: RE: Sample Passenger/Rails policy for review

RE: Sample Passenger/Rails policy for review

From: Moray Henderson <Moray.Henderson_at_nospam>
Date: Thu Aug 19 2010 - 11:31:49 GMT
To: <selinux@lists.fedoraproject.org>

Dominick Grift wrote:
>On 08/17/2010 05:34 PM, Moray Henderson wrote:
>> Dominick Grift wrote:
>>> On 08/16/2010 03:58 PM, Moray Henderson (ICT) wrote:
>>>> Hi all,
>>>>
>>>> I've been looking at getting a Ruby on Rails app working through
>>>> Passenger under CentOS 5.5. I felt it should run in its own
>>>> security context, so I came up with the following sample module.
>>>> Please
>> comment.
>>>
>>>
>>> This is not how i would do it probably, although i am not sure if my
>>> approach would be much better.
>>>
>>> Instead of using the httpd_content_template() i would treat
>> mod_passenger
>>> as a normal domain.
>>>
>>> Then allow httpd_t to transition to the new mod_passenger domain
when
>> it
>>> runs the passenger executable file.
>>>
>>> The advantage of this, i think, is that you do not have to allow
>>> rules like this:
>>>
>>> allow httpd_t self:capability { fowner fsetid };
>>>
>>> Also with regard to the policy below:
>>>
>>> allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh
>>> noatsecure };
>>>
>>> This should not be needed and is by default silently denied.
>>
>> You're right, I removed the allow ...:process rule, and it still
worked.
>>
>>
>> How do I get httpd_t to transition to an ordinary domain? I've been
>> experimenting with domain_entry_file and domain_transition_pattern,
>> but keep getting denials for httpd_t writing to myapp_script_rw_t.
It
>> obviously has not transitioned by the time it tries to write its
>> temporary files in /var/run/passenger.
>
>These would be the process and executable file declarations in
>passenger.te source policy file:
>
>type passenger_t;
>type passenger_exec_t;
>domain_type(passenger_t)
>domain_entry_file(passenger_t, passenger_exec_t) role system_r types
>passenger_t;
>
>This would be the shared policy that facilitates the domain transition
to
>passenger via passenger_exec_t for other domain like httpd_t in
>passenger.if:
>
>########################################
>## <summary>
>## Execute a domain transition to
>## run Passenger.
>## </summary>
>## <param name="domain">
>## <summary>
>## Domain allowed to transition.
>## </summary>
>## </param>
>#
>interface(`passenger_domtrans',`
> gen_require(`
> type passenger_t, passenger_exec_t;
> ')
>
> domtrans_pattern($1, passenger_exec_t, passenger_t)
> files_search_usr($1)
> libs_search_lib($1)
>')
>
>And then for httpd_t to transition to passenger_t you would call that
from
>from the apache local policy:
>
>passenger_domtrans(httpd_t)
>
>Then ofcourse you would have to declare types for passengers' object in
>/tmp and also facilitate access to that the same way.
>
>But i think all in all your solution is fine and easier.
>
>I am just wondering if there is a way to get rid of this:
>
>allow httpd_t self:capability { fowner fsetid };
>
>Are you sure that you labelled all passenger executable files?
>
>Can you show us the raw AVC denial that prompter the rule above.
>It can show us if it was really apache running in the httpd_t domain
that
>needed the fowner and fsetid capability or maybe a passenger executable
>that ran in the httpd_t domain.
>
>If the latter, then you can avoid that by labelling it with the
passenger
>executable type.

You're right - when I was first trying to develop the policy, apache
wouldn't start without the capability { fowner fsetid }, but now I've
got the labelling and transitions working properly, I can take that line
out again.

I still get denials when apache starts or stops:

type=AVC msg=audit(1282212879.945:6710639): avc: denied { fowner } for
pid=10440 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1282212879.945:6710639): arch=40000003 syscall=15
success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0 ppid=10439
pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1282212879.946:6710640): avc: denied { fowner } for
pid=10440 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1282212879.946:6710640): arch=40000003 syscall=15
success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0 ppid=10439
pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
subj=user_u:system_r:httpd_t:s0 key=(null)

but I can dontaudit those. I've also changed the labelling so that only
the passenger executable is labelled with the entry type; all other
passenger files are content type. The policy becomes:

#### myapp.te ####
policy_module(myapp,1.0)

apache_content_template(myapp);

kernel_read_kernel_sysctls(httpd_myapp_script_t);
miscfiles_read_certs(httpd_myapp_script_t);
term_use_all_user_ptys(httpd_myapp_script_t);

dontaudit httpd_t self:capability { fowner };
allow httpd_t httpd_myapp_script_t:unix_stream_socket rw_socket_perms;
allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };

allow httpd_myapp_script_t self:capability { chown dac_override
dac_read_search fowner fsetid setgid setuid };
allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };

#### myapp.fc ####
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
licationPoolServerExecutable --
gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
gen_context(system_u:object_r:httpd_myapp_content_t, s0)
/usr/local/lib/myapp(/.*)?
gen_context(system_u:object_r:httpd_myapp_content_t, s0)
/var/run/passenger(/.*)?
gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)

Thanks for your reply on the documentation, too. I'll take time to work
through it properly.

Moray.
"To err is human. To purr, feline"

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux