fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Sample Passenger/Rails policy for review

Re: Sample Passenger/Rails policy for review

From: Dominick Grift <domg472_at_nospam>
Date: Thu Aug 19 2010 - 15:31:47 GMT
To: selinux@lists.fedoraproject.org

On 08/19/2010 05:28 PM, Moray Henderson wrote:
> Dominick Grift wrote:
>> On 08/19/2010 03:26 PM, Moray Henderson wrote:
>>> Dominick Grift wrote:
>>>>> I still get denials when apache starts or stops:
>>>>>
>>>>> type=AVC msg=audit(1282212879.945:6710639): avc: denied { fowner
> }
>>> for
>>>>> pid=10440 comm="chmod" capability=3
>>> scontext=user_u:system_r:httpd_t:s0
>>>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL
>>>>> msg=audit(1282212879.945:6710639): arch=40000003
>>> syscall=15
>>>>> success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0
>>> ppid=10439
>>>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>>>> subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC
>>>>> msg=audit(1282212879.946:6710640): avc: denied { fowner }
>>> for
>>>>> pid=10440 comm="chmod" capability=3
>>> scontext=user_u:system_r:httpd_t:s0
>>>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL
>>>>> msg=audit(1282212879.946:6710640): arch=40000003
>>> syscall=15
>>>>> success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0
>>> ppid=10439
>>>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>> So something running in the httpd_t domain wants to change file
>>>> ownership of some object.
>>>>
>>>> Still wondering what is running in the httpd_t domain that ran
> chmod,
>>>> and on which object did it run it.
>>>
>>> I think I've found it. It's in the mod_passenger library, which is
>>> currently
>>>
>>> -rwxrwxr-x root root system_u:object_r:httpd_modules_t
>>> /usr/lib/httpd/modules/mod_passenger.so
>>>
>>> There are a couple of functions there that deal with creation and
>>> deletion of FIFOs and mention chmod. As it's loaded by the master
>>> apache daemon, I didn't think we could tweak its permissions.
>>> Everything seems to work - is there a problem?
>>
>> see what happens when you label it with the passenger executable type.
>> httpd_myapp_script_exec_t.
>>
>> The problem is that we do not want to have to extend httpd_t policy if
> we
>> do not have to.
>
> Didn't make any difference:

ok strange, and there arent any other executable files included with
mod_passenger that should be labelled with the passenger executable type?

In that case i guess it is apache running chmod on some unidentified
object(s).

>
> -rwxrwxr-x root root system_u:object_r:httpd_myapp_script_exec_t
> /usr/lib/httpd/modules/mod_passenger.so
>
> restart apache
>
> time->Thu Aug 19 16:09:57 2010
> type=SYSCALL msg=audit(1282230597.685:6710715): arch=40000003 syscall=15
> success=no exit=-1 a0=90cd5ec a1=9c0 a2=8051614 a3=0 items=0 ppid=13247
> pid=13248 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1282230597.685:6710715): avc: denied { fowner } for
> pid=13248 comm="chmod" capability=3 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
>
>
>>> static void
>>> createNonWritableFifo(const string &filename) {
>>> int ret, e;
>>> bool ignoreChmodErrors = false;
>>>
>>> do {
>>> ret = mkfifo(filename.c_str(), 0);
>>> } while (ret == -1 && errno == EINTR);
>>> if (ret == -1) {
>>> if (errno == EEXIST) {
>>> /* The FIFO file was likely created by root, but after
> lowering
>>> * privilege createPassengerTempDir() is called again, and
> this
>>> * time we won't be able to set permissions. So in this case
>>> * we'll want to ignore any chmod errors.
>>> */
>>> ignoreChmodErrors = geteuid() != 0;
>>> } else {
>>> e = errno;
>>> throw FileSystemException("Cannot create FIFO file " +
> filename,
>>> e, filename);
>>> }
>>> }
>>>
>>> do {
>>> ret = chmod(filename.c_str(), 0);
>>> } while (ret == -1 && errno == EINTR);
>>> if (ret == -1 && !ignoreChmodErrors) {
>>> e = errno;
>>> throw FileSystemException("Cannot set permissions on file " +
>>> filename, e, filename);
>>> }
>>> }
>>>
>>> void
>>> removeDirTree(const string &path) {
>>> char command[PATH_MAX + 30];
>>> int result;
>>>
>>> snprintf(command, sizeof(command), "chmod -R u+rwx \"%s\"
>>> 2>/dev/null", path.c_str());
>>> command[sizeof(command) - 1] = '\0';
>>> do {
>>> result = system(command);
>>> } while (result == -1 && errno == EINTR);
>>>
>>> snprintf(command, sizeof(command), "rm -rf \"%s\"",
> path.c_str());
>>> command[sizeof(command) - 1] = '\0';
>>> do {
>>> result = system(command);
>>> } while (result == -1 && errno == EINTR);
>>> if (result == -1) {
>>> char message[1024];
>>> int e = errno;
>>>
>>> snprintf(message, sizeof(message) - 1, "Cannot remove directory
>>> '%s'", path.c_str());
>>> message[sizeof(message) - 1] = '\0';
>>> throw FileSystemException(message, e, path);
>>> }
>>> }
>>>
>>>>> but I can dontaudit those. I've also changed the labelling so that
>>> only
>>>>> the passenger executable is labelled with the entry type; all other
>>>>> passenger files are content type. The policy becomes:
>>>>>
>>>>> #### myapp.te ####
>>>>> policy_module(myapp,1.0)
>>>>>
>>>>> apache_content_template(myapp);
>>>>>
>>>>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>>>>> miscfiles_read_certs(httpd_myapp_script_t);
>>>>> term_use_all_user_ptys(httpd_myapp_script_t);
>>>>>
>>>>> dontaudit httpd_t self:capability { fowner }; allow httpd_t
>>>>> httpd_myapp_script_t:unix_stream_socket
>>> rw_socket_perms;
>>>>> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
>>>>> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>>>>>
>>>>> allow httpd_myapp_script_t self:capability { chown dac_override
>>>>> dac_read_search fowner fsetid setgid setuid }; allow
>>>>> httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>>>>>
>>>>> #### myapp.fc ####
>>>>>
>>>
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/A
>>> pp
>>>>> licationPoolServerExecutable --
>>>>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>>>>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>>>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>>>> /usr/local/lib/myapp(/.*)?
>>>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>>>> /var/run/passenger(/.*)?
>>>>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
>>>>>
>>>>>
>>>>> Thanks for your reply on the documentation, too. I'll take time to
>>> work
>>>>> through it properly.
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux