RE: Sample Passenger/Rails policy for review

From: Moray Henderson <Moray.Henderson_at_nospam>
Date: Thu Aug 19 2010 - 13:26:32 GMT
To: <selinux@lists.fedoraproject.org>

Dominick Grift wrote:
>> I still get denials when apache starts or stops:
>>
>> type=AVC msg=audit(1282212879.945:6710639): avc: denied { fowner }
for
>> pid=10440 comm="chmod" capability=3
scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
>> type=SYSCALL msg=audit(1282212879.945:6710639): arch=40000003
syscall=15
>> success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0
ppid=10439
>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>> type=AVC msg=audit(1282212879.946:6710640): avc: denied { fowner }
for
>> pid=10440 comm="chmod" capability=3
scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
>> type=SYSCALL msg=audit(1282212879.946:6710640): arch=40000003
syscall=15
>> success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0
ppid=10439
>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>
>So something running in the httpd_t domain wants to change file
>ownership of some object.
>
>Still wondering what is running in the httpd_t domain that ran chmod,
>and on which object did it run it.

I think I've found it. It's in the mod_passenger library, which is
currently

-rwxrwxr-x root root system_u:object_r:httpd_modules_t
/usr/lib/httpd/modules/mod_passenger.so

There are a couple of functions there that deal with creation and
deletion of FIFOs and mention chmod. As it's loaded by the master
apache daemon, I didn't think we could tweak its permissions.
Everything seems to work - is there a problem?

static void
createNonWritableFifo(const string &filename) {
int ret, e;
bool ignoreChmodErrors = false;

    do {
        ret = mkfifo(filename.c_str(), 0);
    } while (ret == -1 && errno == EINTR);
    if (ret == -1) {
        if (errno == EEXIST) {
            /* The FIFO file was likely created by root, but after
lowering
             * privilege createPassengerTempDir() is called again, and
this
             * time we won't be able to set permissions. So in this case
             * we'll want to ignore any chmod errors.
             */
            ignoreChmodErrors = geteuid() != 0;
        } else {
            e = errno;
            throw FileSystemException("Cannot create FIFO file " +
filename,
                            e, filename);
        }
    }

    do {
        ret = chmod(filename.c_str(), 0);
    } while (ret == -1 && errno == EINTR);
    if (ret == -1 && !ignoreChmodErrors) {
        e = errno;
        throw FileSystemException("Cannot set permissions on file " +
filename, e, filename);
    }
}

void
removeDirTree(const string &path) {
char command[PATH_MAX + 30];
int result;

    snprintf(command, sizeof(command), "chmod -R u+rwx \"%s\"
2>/dev/null", path.c_str());
    command[sizeof(command) - 1] = '\0';
    do {
        result = system(command);
    } while (result == -1 && errno == EINTR);

    snprintf(command, sizeof(command), "rm -rf \"%s\"", path.c_str());
    command[sizeof(command) - 1] = '\0';
    do {
        result = system(command);
    } while (result == -1 && errno == EINTR);
    if (result == -1) {
        char message[1024];
        int e = errno;

        snprintf(message, sizeof(message) - 1, "Cannot remove directory
'%s'", path.c_str());
        message[sizeof(message) - 1] = '\0';
        throw FileSystemException(message, e, path);
    }
}

>> but I can dontaudit those. I've also changed the labelling so that
only
>> the passenger executable is labelled with the entry type; all other
>> passenger files are content type. The policy becomes:
>>
>> #### myapp.te ####
>> policy_module(myapp,1.0)
>>
>> apache_content_template(myapp);
>>
>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>> miscfiles_read_certs(httpd_myapp_script_t);
>> term_use_all_user_ptys(httpd_myapp_script_t);
>>
>> dontaudit httpd_t self:capability { fowner };
>> allow httpd_t httpd_myapp_script_t:unix_stream_socket
rw_socket_perms;
>> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
>> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>>
>> allow httpd_myapp_script_t self:capability { chown dac_override
>> dac_read_search fowner fsetid setgid setuid };
>> allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>>
>> #### myapp.fc ####
>>
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
>> licationPoolServerExecutable --
>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /usr/local/lib/myapp(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>> /var/run/passenger(/.*)?
>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
>>
>>
>> Thanks for your reply on the documentation, too. I'll take time to
work
>> through it properly.

Moray.
"To err is human. To purr, feline"

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

This message: [ Message body ]
Next message: Dominick Grift: "Re: Sample Passenger/Rails policy for review"
Previous message: Dominick Grift: "Re: Sample Passenger/Rails policy for review"
In reply to: Dominick Grift: "Re: Sample Passenger/Rails policy for review"
Next in thread: Dominick Grift: "Re: Sample Passenger/Rails policy for review"
Reply: Dominick Grift: "Re: Sample Passenger/Rails policy for review"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]