CGI Script permissions

Fri Jun 9 12:37:31 UTC 2006

Paul Howarth wrote:
> On Thu, 2006-06-08 at 15:03 -0400, Daniel J Walsh wrote:
>> Paul Howarth wrote:
>>> On Fri, 2006-05-26 at 14:18 -0400, Daniel J Walsh wrote: 
>>>   
>>>> Paul Howarth wrote:
>>>>     
>>>>> I made something similar for my moin wiki running under mod_fcgid:
>>>>>
>>>>> te file:
>>>>>
>>>>> policy_module(apache, 0.2.1)
>>>>>
>>>>> require {
>>>>>         type devpts_t;
>>>>>         type httpd_t;
>>>>>         type httpd_log_t;
>>>>>         type httpd_sys_script_exec_t;
>>>>>         type var_run_t;
>>>>> };
>>>>>
>>>>> # ==========================================================
>>>>> # Create and use httpd_fastcgi_script_t for mod_fcgid apps
>>>>> # ==========================================================
>>>>>
>>>>> apache_content_template(fastcgi)
>>>>> kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
>>>>>
>>>>> # Allow FastCGI applications to live alongside regular CGI apps
>>>>> allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { 
>>>>> search_dir_perms };
>>>>>
>>>>> # Allow FastCGI applications to listen for FastCGI requests on their
>>>>> # sockets and respond to them
>>>>> allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { 
>>>>> rw_stream_socket_perms };
>>>>>
>>>>> # FastCGI application doing something to the httpd error log
>>>>> dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
>>>>>
>>>>> # Not sure what this is doing (happens when fastcgi scripts start)
>>>>> dontaudit httpd_t devpts_t:chr_file ioctl;
>>>>>
>>>>> # mod_fcgid setting attr of its socket dir
>>>>> allow httpd_t var_run_t:dir setattr;
>>>>>       
>>>> Why not create a context for its socket dir so you don't need this for 
>>>> var_run?
>>>>     
>>> The obvious type to use would really be httpd_var_run_t rather than
>>> creating a new type (comparing with other users of /var/run). In fact I
>>> think I tried that but it seemed worse than leaving it the default
>>> var_run_t and adding the one allow rule. What would you suggest?
>>>
>>>   
>> What errors do you see?
>>
>> We already have these rules in policy
>>
>> allow httpd_t httpd_var_run_t:file create_file_perms;
>> allow httpd_t httpd_var_run_t:sock_file create_file_perms;
>> allow httpd_t httpd_var_run_t:dir rw_dir_perms;
>> files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
>>
>> Which should be able to handle this if you relabel the /var/run/XYZ dir.
> 
> Looks like it's just the same one now:
> 
> type=AVC msg=audit(1149799121.917:265395): avc:  denied  { setattr } for
> pid=10825 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dirtype=SYSCALL
> msg=audit(1149799121.917:265395): arch=40000003 syscall=212 success=yes
> exit=0 a0=87639d0 a1=30 a2=ffffffff a3=30 items=1 pid=10825 auid=500
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd"
> exe="/usr/sbin/httpd"
> type=CWD msg=audit(1149799121.917:265395):  cwd="/"
> type=PATH msg=audit(1149799121.917:265395): item=0
> name="/etc/httpd/run/mod_fcgid" flags=1  inode=458818 dev=fd:04
> mode=040755 ouid=48 ogid=48 rdev=00:00
> 
> (/etc/httpd/run is a symlink to /var/run)
> 
> So I guess I just change the rule to be for httpd_var_run_t rather than
> var_run_t (rw_dir_perms doesn't include setattr)?

I decided to use a completely new type instead of reusing an existing one.

New policy:

####### fastcgi.fc #######
/var/run/mod_fcgid(/.*)? 
gen_context(system_u:object_r:httpd_fastcgi_sock_t,s0)

####### fastcgi.te #######
policy_module(fastcgi, 0.1.2)

type httpd_fastcgi_sock_t;
files_type(httpd_fastcgi_sock_t)

require {
         type devpts_t;
         type httpd_t;
         type httpd_config_t;
         type httpd_log_t;
         type httpd_sys_script_exec_t;
         type httpd_sys_content_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { 
search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };

# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { 
r_netlink_socket_perms };

# Allow httpd to create and use sockets for communicating with mod_fcgid
allow httpd_t httpd_fastcgi_sock_t:dir { rw_dir_perms setattr };
allow httpd_t httpd_fastcgi_sock_t:sock_file { create_file_perms };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { 
rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# ======================================================
# Equivalent policy cribbed from httpd_sys_script_t
# ======================================================

dontaudit httpd_fastcgi_script_t httpd_config_t:dir search;

files_search_var_lib(httpd_fastcgi_script_t)
files_search_spool(httpd_fastcgi_script_t)

ifdef(`distro_redhat',`
         allow httpd_fastcgi_script_t httpd_log_t:file { getattr append };
')

ifdef(`targeted_policy',`
         tunable_policy(`httpd_enable_homedirs',`

userdom_search_generic_user_home_dirs(httpd_fastcgi_script_t)
         ')
')

optional_policy(`
         mysql_stream_connect(httpd_fastcgi_script_t)
         mysql_rw_db_sockets(httpd_fastcgi_script_t)
')

Paul.