fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: RE: Sample Passenger/Rails policy for review

RE: Sample Passenger/Rails policy for review

From: Moray Henderson <Moray.Henderson_at_nospam>
Date: Thu Aug 19 2010 - 15:28:19 GMT
To: <selinux@lists.fedoraproject.org>

Dominick Grift wrote:
>On 08/19/2010 03:26 PM, Moray Henderson wrote:
>> Dominick Grift wrote:
>>>> I still get denials when apache starts or stops:
>>>>
>>>> type=AVC msg=audit(1282212879.945:6710639): avc: denied { fowner
}
>> for
>>>> pid=10440 comm="chmod" capability=3
>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL
>>>> msg=audit(1282212879.945:6710639): arch=40000003
>> syscall=15
>>>> success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0
>> ppid=10439
>>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC
>>>> msg=audit(1282212879.946:6710640): avc: denied { fowner }
>> for
>>>> pid=10440 comm="chmod" capability=3
>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL
>>>> msg=audit(1282212879.946:6710640): arch=40000003
>> syscall=15
>>>> success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0
>> ppid=10439
>>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>
>>> So something running in the httpd_t domain wants to change file
>>> ownership of some object.
>>>
>>> Still wondering what is running in the httpd_t domain that ran
chmod,
>>> and on which object did it run it.
>>
>> I think I've found it. It's in the mod_passenger library, which is
>> currently
>>
>> -rwxrwxr-x root root system_u:object_r:httpd_modules_t
>> /usr/lib/httpd/modules/mod_passenger.so
>>
>> There are a couple of functions there that deal with creation and
>> deletion of FIFOs and mention chmod. As it's loaded by the master
>> apache daemon, I didn't think we could tweak its permissions.
>> Everything seems to work - is there a problem?
>
>see what happens when you label it with the passenger executable type.
>httpd_myapp_script_exec_t.
>
>The problem is that we do not want to have to extend httpd_t policy if
we
>do not have to.

Didn't make any difference:

-rwxrwxr-x root root system_u:object_r:httpd_myapp_script_exec_t
/usr/lib/httpd/modules/mod_passenger.so

restart apache

time->Thu Aug 19 16:09:57 2010
type=SYSCALL msg=audit(1282230597.685:6710715): arch=40000003 syscall=15
success=no exit=-1 a0=90cd5ec a1=9c0 a2=8051614 a3=0 items=0 ppid=13247
pid=13248 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1282230597.685:6710715): avc: denied { fowner } for
pid=13248 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=capability

>> static void
>> createNonWritableFifo(const string &filename) {
>> int ret, e;
>> bool ignoreChmodErrors = false;
>>
>> do {
>> ret = mkfifo(filename.c_str(), 0);
>> } while (ret == -1 && errno == EINTR);
>> if (ret == -1) {
>> if (errno == EEXIST) {
>> /* The FIFO file was likely created by root, but after
lowering
>> * privilege createPassengerTempDir() is called again, and
this
>> * time we won't be able to set permissions. So in this case
>> * we'll want to ignore any chmod errors.
>> */
>> ignoreChmodErrors = geteuid() != 0;
>> } else {
>> e = errno;
>> throw FileSystemException("Cannot create FIFO file " +
filename,
>> e, filename);
>> }
>> }
>>
>> do {
>> ret = chmod(filename.c_str(), 0);
>> } while (ret == -1 && errno == EINTR);
>> if (ret == -1 && !ignoreChmodErrors) {
>> e = errno;
>> throw FileSystemException("Cannot set permissions on file " +
>> filename, e, filename);
>> }
>> }
>>
>> void
>> removeDirTree(const string &path) {
>> char command[PATH_MAX + 30];
>> int result;
>>
>> snprintf(command, sizeof(command), "chmod -R u+rwx \"%s\"
>> 2>/dev/null", path.c_str());
>> command[sizeof(command) - 1] = '\0';
>> do {
>> result = system(command);
>> } while (result == -1 && errno == EINTR);
>>
>> snprintf(command, sizeof(command), "rm -rf \"%s\"",
path.c_str());
>> command[sizeof(command) - 1] = '\0';
>> do {
>> result = system(command);
>> } while (result == -1 && errno == EINTR);
>> if (result == -1) {
>> char message[1024];
>> int e = errno;
>>
>> snprintf(message, sizeof(message) - 1, "Cannot remove directory
>> '%s'", path.c_str());
>> message[sizeof(message) - 1] = '\0';
>> throw FileSystemException(message, e, path);
>> }
>> }
>>
>>>> but I can dontaudit those. I've also changed the labelling so that
>> only
>>>> the passenger executable is labelled with the entry type; all other
>>>> passenger files are content type. The policy becomes:
>>>>
>>>> #### myapp.te ####
>>>> policy_module(myapp,1.0)
>>>>
>>>> apache_content_template(myapp);
>>>>
>>>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>>>> miscfiles_read_certs(httpd_myapp_script_t);
>>>> term_use_all_user_ptys(httpd_myapp_script_t);
>>>>
>>>> dontaudit httpd_t self:capability { fowner }; allow httpd_t
>>>> httpd_myapp_script_t:unix_stream_socket
>> rw_socket_perms;
>>>> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
>>>> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>>>>
>>>> allow httpd_myapp_script_t self:capability { chown dac_override
>>>> dac_read_search fowner fsetid setgid setuid }; allow
>>>> httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>>>>
>>>> #### myapp.fc ####
>>>>
>>
/usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/A
>> pp
>>>> licationPoolServerExecutable --
>>>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>>>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>>> /usr/local/lib/myapp(/.*)?
>>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>>> /var/run/passenger(/.*)?
>>>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
>>>>
>>>>
>>>> Thanks for your reply on the documentation, too. I'll take time to
>> work
>>>> through it properly.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux