CGI Script permissions

Fri May 26 18:18:59 UTC 2006

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> Jochen Wiedmann wrote:
>>> Paul Howarth wrote:
>>>
>>>  
>>>> The simplest fix might be to change the file context of this 
>>>> particular
>>>> CGI script to httpd_unconfined_script_exec_t instead of
>>>> httpd_sys_script_t. That would effectively turn off SELinux protection
>>>> for that particular script.
>>>>     
>>>
>>>  
>>>> The alternative approach of using audit2allow to create a local policy
>>>> to allow these capabilities would turn on these capabilities for *all*
>>>> of your CGI scripts, which IMHO would be worse than turning off
>>>> protection for just that one script (particularly if that script was
>>>> well-audited for security issues).
>>>>     
>>>
>>>  
>>>> Ideally it would be easy to create a subclass of CGI scripts and 
>>>> assign
>>>> special capabilities to those (I have a similar issue with FastCGI
>>>> scripts that need slightly more capabilities than regular CGI 
>>>> scripts),
>>>> but that's beyond me at this moment.
>>>>     
>>>
>>> As the script in question can indeed be called well-audited 
>>> (basically, it
>>> just allows to trigger a certain action by calling another script with
>>> fixed attributes), I have decided to go with 
>>> httpd_unconfined_script_exec_t.
>>> That did the trick neatly.
>>>
>>> Thanks very much,
>>>
>>> Jochen
>>>   
>>
>> Another alternative might be to write your own module
>>
>> Create three files
>>
>> # cat  >> myapache.te  << _EOF
>> policy_module(myapache,1.0.0)
>> apache_content_template(myapache)
>> allow httpd_myapache_script_t self:capability setuid;
>> allow httpd_myapache_script_t self:process setrlimit;
>> _EOF
>>
>> echo > myapache.if
>>
>> # cat  >> myapache.te  << _EOF
>
> That should be myapache.fc
>
>> /var/www/cgi-bin/myapache_script            --    
>> gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
>> _EOF
>>
>> Then build a policy module.
>>
>> make -f /usr/share/selinux/devel/Makefile
>>
>> semodule -i myapache.pp
>>
>> restorecon -F -v /var/www/cgi-bin/myapache_script
>>
>> Then try it out. Of course you might need additional rules.
>
> I made something similar for my moin wiki running under mod_fcgid:
>
> te file:
>
> policy_module(apache, 0.2.1)
>
> require {
>         type devpts_t;
>         type httpd_t;
>         type httpd_log_t;
>         type httpd_sys_script_exec_t;
>         type var_run_t;
> };
>
> # ==========================================================
> # Create and use httpd_fastcgi_script_t for mod_fcgid apps
> # ==========================================================
>
> apache_content_template(fastcgi)
> kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
>
> # Allow FastCGI applications to live alongside regular CGI apps
> allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { 
> search_dir_perms };
>
> # Allow FastCGI applications to listen for FastCGI requests on their
> # sockets and respond to them
> allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { 
> rw_stream_socket_perms };
>
> # FastCGI application doing something to the httpd error log
> dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
>
> # Not sure what this is doing (happens when fastcgi scripts start)
> dontaudit httpd_t devpts_t:chr_file ioctl;
>
> # mod_fcgid setting attr of its socket dir
> allow httpd_t var_run_t:dir setattr;
Why not create a context for its socket dir so you don't need this for 
var_run?
>
>
> fc file:
>
> /srv/www/tips/cgi-bin/moin.fcgi -- 
> gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
> /var/www/tips/cgi-bin/moin.fcgi -- 
> gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
>
> Paul.

I think it might be a good idea to add this (fastcgi that is) policy to 
base.  Have you tried to submit it upstream?