CGI Script permissions

Paul Howarth paul at city-fan.org
Fri May 26 14:20:41 UTC 2006


Daniel J Walsh wrote:
> Jochen Wiedmann wrote:
>> Paul Howarth wrote:
>>
>>  
>>> The simplest fix might be to change the file context of this particular
>>> CGI script to httpd_unconfined_script_exec_t instead of
>>> httpd_sys_script_t. That would effectively turn off SELinux protection
>>> for that particular script.
>>>     
>>
>>  
>>> The alternative approach of using audit2allow to create a local policy
>>> to allow these capabilities would turn on these capabilities for *all*
>>> of your CGI scripts, which IMHO would be worse than turning off
>>> protection for just that one script (particularly if that script was
>>> well-audited for security issues).
>>>     
>>
>>  
>>> Ideally it would be easy to create a subclass of CGI scripts and assign
>>> special capabilities to those (I have a similar issue with FastCGI
>>> scripts that need slightly more capabilities than regular CGI scripts),
>>> but that's beyond me at this moment.
>>>     
>>
>> As the script in question can indeed be called well-audited 
>> (basically, it
>> just allows to trigger a certain action by calling another script with
>> fixed attributes), I have decided to go with 
>> httpd_unconfined_script_exec_t.
>> That did the trick neatly.
>>
>> Thanks very much,
>>
>> Jochen
>>   
> 
> Another alternative might be to write your own module
> 
> Create three files
> 
> # cat  >> myapache.te  << _EOF
> policy_module(myapache,1.0.0)
> apache_content_template(myapache)
> allow httpd_myapache_script_t self:capability setuid;
> allow httpd_myapache_script_t self:process setrlimit;
> _EOF
> 
> echo > myapache.if
> 
> # cat  >> myapache.te  << _EOF

That should be myapache.fc

> /var/www/cgi-bin/myapache_script            --    
> gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
> _EOF
> 
> Then build a policy module.
> 
> make -f /usr/share/selinux/devel/Makefile
> 
> semodule -i myapache.pp
> 
> restorecon -F -v /var/www/cgi-bin/myapache_script
> 
> Then try it out. 
> Of course you might need additional rules.

I made something similar for my moin wiki running under mod_fcgid:

te file:

policy_module(apache, 0.2.1)

require {
         type devpts_t;
         type httpd_t;
         type httpd_log_t;
         type httpd_sys_script_exec_t;
         type var_run_t;
};

# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================

apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { 
search_dir_perms };

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { 
rw_stream_socket_perms };

# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;

# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;


fc file:

/srv/www/tips/cgi-bin/moin.fcgi -- 
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
/var/www/tips/cgi-bin/moin.fcgi -- 
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)

Paul.




More information about the fedora-selinux-list mailing list