httpd controls ?

[Colin Walters]

On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote:

> That's a very good point and really bears spelling out.  How would one
> go about creating the new domain and then implementing the proper
> transition for just one set of CGI scripts?  I ask because I (was)
> running Open WebMail and ran into the case where I needed to
> effectively disable SELinux controls over all CGI scripts to allow OWM
> to run.  I would have preferred the case where these controls were
> removed *only* for the relavent scripts, allowing the remaining
> scripts to keep the protections afforded by the default policy.

Dan has written a new domain "httpd_unconfined_t" and corresponding
httpd_unconfined_script_exec_t which I believe is in the latest rawhide.
You can then mark specific CGI scripts such as ones that change user
passwords like so:

chcon -t httpd_unconfined_script_exec_t /path/to/my/passwd.cgi

Then the script will be unconfined when executed by httpd.  Note that in
general this is fairly dangerous if the script is actually written in a
language like Python, since a malicious httpd_t process could set a
number of environment variables like PYTHONPATH before executing the
script which could easily lead to a compromise of the unconfined script.
I can't think of a good solution for this other than writing your own
little C program.  Probably we need a specialized interpreter,
e.g. /bin/envexec which would take a list of environment variables to
preserve, and you could write a little script like:

#!/bin/envexec 
/var/www/cgi-bin/myscript.cgi

Then you make that file executable and make its type be
httpd_unconfined_script_exec_t.  

Maybe someone can think of a better way to create wrappers for cleaning
the environment without actually writing a new little C program.