Making a python/shell script run in httpd_t (or some other domain)

Stephen Smalley sds at tycho.nsa.gov
Mon Mar 12 13:48:04 UTC 2007 

On Mon, 2007-03-12 at 08:53 -0400, Stephen Smalley wrote:
> On Sat, 2007-03-10 at 09:55 -0700, Forrest Taylor wrote:
> > I am trying to make a python script run in the httpd_t domain on RHEL5
> > RC4.  I have assigned the script the httpd_exec_t type.  I searched the
> > archives, and I saw an earlier post that stated that I should use the -E
> > option to python:
> > 
> > #!/usr/bin/python -E
> > 
> > I see the same entry in python scripts like setroubleshootd.  However,
> > when I try to run my script (or setroubleshootd, for that matter)
> > directly, it runs in unconfined_t.  I have the same problem with shell
> > executables.  Any tips?
> 
> unconfined_t transitions to initrc_t upon running an init script, and
> then initrc_t transitions to the appropriate domain (e.g. httpd_t) upon
> executing the program.  That has been the case for Fedora Core 4 and
> later, I believe.  There is no direct transition from unconfined_t to
> httpd_t.  Providing such direct transitions, as in Fedora Core 3, caused
> a number of problems in cases where you didn't actually want to run a
> program in the same domain when directly run by the user vs. when run by
> an init script.  You can of course always force the transition via
> runcon -t, if allowed by policy.
> 
> > run_init will run as expected, but it does also ask for the root
> > password.  I know that I could change the pam.d/ entry, but I don't want
> > to do that at this point.
> 
> runcon should work for you as long as you start unconfined and the
> program has the right type.
> 
> > I created an init script that simply calls the executable.  This works
> > as expected, as long as the script starts with the interpreter (e.g.,
> > #!/bin/bash).  If I leave out that line, it does not transition.  Any
> > idea why?
> 
> If you trace the execution, you'll see there is a difference in what
> happens for those two situations.  With the #!/bin/bash header, the
> kernel can directly launch the interpreter upon exec of the script, and
> thus we can perform a domain transition based on the script there
> (although you should only ever do that when the calling domain is more
> trusted than the called domain, since script execution has an inherent
> race condition and scripts are so susceptible to caller influence).
> Without the header, the kernel will reject the script upon direct exec,
> and the shell falls back to exec'ing the intepreter with the script as
> an argument, at which point the kernel doesn't see it at all as relevant
> to the exec call (thus no domain transition).

Of course, someone could instrument the shell to call
security_compute_create(3) and setexeccon(3) in the latter case to
emulate the domain transition, similar to runcon -c.  The shell would
need to gracefully fall back if denied permission though, as it often
won't be able to do that when run in a confined domain.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list