fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Sample Passenger/Rails policy for review

Re: Sample Passenger/Rails policy for review

From: Dominick Grift <domg472_at_nospam>
Date: Thu Aug 19 2010 - 11:41:13 GMT
To: selinux@lists.fedoraproject.org

On 08/19/2010 01:31 PM, Moray Henderson wrote:
> Dominick Grift wrote:
>> On 08/17/2010 05:34 PM, Moray Henderson wrote:
>>> Dominick Grift wrote:
>>>> On 08/16/2010 03:58 PM, Moray Henderson (ICT) wrote:
>>>>> Hi all,
>>>>>
>>>>> I've been looking at getting a Ruby on Rails app working through
>>>>> Passenger under CentOS 5.5. I felt it should run in its own
>>>>> security context, so I came up with the following sample module.
>>>>> Please
>>> comment.
>>>>
>>>>
>>>> This is not how i would do it probably, although i am not sure if my
>>>> approach would be much better.
>>>>
>>>> Instead of using the httpd_content_template() i would treat
>>> mod_passenger
>>>> as a normal domain.
>>>>
>>>> Then allow httpd_t to transition to the new mod_passenger domain
> when
>>> it
>>>> runs the passenger executable file.
>>>>
>>>> The advantage of this, i think, is that you do not have to allow
>>>> rules like this:
>>>>
>>>> allow httpd_t self:capability { fowner fsetid };
>>>>
>>>> Also with regard to the policy below:
>>>>
>>>> allow httpd_t httpd_myapp_script_t:process { siginh rlimitinh
>>>> noatsecure };
>>>>
>>>> This should not be needed and is by default silently denied.
>>>
>>> You're right, I removed the allow ...:process rule, and it still
> worked.
>>>
>>>
>>> How do I get httpd_t to transition to an ordinary domain? I've been
>>> experimenting with domain_entry_file and domain_transition_pattern,
>>> but keep getting denials for httpd_t writing to myapp_script_rw_t.
> It
>>> obviously has not transitioned by the time it tries to write its
>>> temporary files in /var/run/passenger.
>>
>> These would be the process and executable file declarations in
>> passenger.te source policy file:
>>
>> type passenger_t;
>> type passenger_exec_t;
>> domain_type(passenger_t)
>> domain_entry_file(passenger_t, passenger_exec_t) role system_r types
>> passenger_t;
>>
>> This would be the shared policy that facilitates the domain transition
> to
>> passenger via passenger_exec_t for other domain like httpd_t in
>> passenger.if:
>>
>> ########################################
>> ## <summary>
>> ## Execute a domain transition to
>> ## run Passenger.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed to transition.
>> ## </summary>
>> ## </param>
>> #
>> interface(`passenger_domtrans',`
>> gen_require(`
>> type passenger_t, passenger_exec_t;
>> ')
>>
>> domtrans_pattern($1, passenger_exec_t, passenger_t)
>> files_search_usr($1)
>> libs_search_lib($1)
>> ')
>>
>> And then for httpd_t to transition to passenger_t you would call that
> from
>>from the apache local policy:
>>
>> passenger_domtrans(httpd_t)
>>
>> Then ofcourse you would have to declare types for passengers' object in
>> /tmp and also facilitate access to that the same way.
>>
>> But i think all in all your solution is fine and easier.
>>
>> I am just wondering if there is a way to get rid of this:
>>
>> allow httpd_t self:capability { fowner fsetid };
>>
>> Are you sure that you labelled all passenger executable files?
>>
>> Can you show us the raw AVC denial that prompter the rule above.
>> It can show us if it was really apache running in the httpd_t domain
> that
>> needed the fowner and fsetid capability or maybe a passenger executable
>> that ran in the httpd_t domain.
>>
>> If the latter, then you can avoid that by labelling it with the
> passenger
>> executable type.
>
> You're right - when I was first trying to develop the policy, apache
> wouldn't start without the capability { fowner fsetid }, but now I've
> got the labelling and transitions working properly, I can take that line
> out again.
>
> I still get denials when apache starts or stops:
>
> type=AVC msg=audit(1282212879.945:6710639): avc: denied { fowner } for
> pid=10440 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
> type=SYSCALL msg=audit(1282212879.945:6710639): arch=40000003 syscall=15
> success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0 ppid=10439
> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1282212879.946:6710640): avc: denied { fowner } for
> pid=10440 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
> type=SYSCALL msg=audit(1282212879.946:6710640): arch=40000003 syscall=15
> success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0 ppid=10439
> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
> subj=user_u:system_r:httpd_t:s0 key=(null)

So something running in the httpd_t domain wants to change file
ownership of some object.

Still wondering what is running in the httpd_t domain that ran chmod,
and on which object did it run it.

> but I can dontaudit those. I've also changed the labelling so that only
> the passenger executable is labelled with the entry type; all other
> passenger files are content type. The policy becomes:
>
> #### myapp.te ####
> policy_module(myapp,1.0)
>
> apache_content_template(myapp);
>
> kernel_read_kernel_sysctls(httpd_myapp_script_t);
> miscfiles_read_certs(httpd_myapp_script_t);
> term_use_all_user_ptys(httpd_myapp_script_t);
>
> dontaudit httpd_t self:capability { fowner };
> allow httpd_t httpd_myapp_script_t:unix_stream_socket rw_socket_perms;
> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>
> allow httpd_myapp_script_t self:capability { chown dac_override
> dac_read_search fowner fsetid setgid setuid };
> allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>
> #### myapp.fc ####
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
> licationPoolServerExecutable --
> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
> /usr/local/lib/myapp(/.*)?
> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
> /var/run/passenger(/.*)?
> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
>
>
> Thanks for your reply on the documentation, too. I'll take time to work
> through it properly.
>
>
> Moray.
> "To err is human. To purr, feline"
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux