Which permission to execute a script?

Daniel J Walsh dwalsh at redhat.com
Mon Nov 24 15:40:56 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno Wolff III wrote:
> On Mon, Nov 17, 2008 at 19:07:40 -0600,
>   Bruno Wolff III <bruno at wolff.to> wrote:
>> On Mon, Nov 17, 2008 at 17:07:42 -0600,
>>   Bruno Wolff III <bruno at wolff.to> wrote:
>>> There doesn't seem to be a http_user_script_exec_t type. Probably it's a
>>> typo, but I didn't see a way to get a full list and didn't manage to
>>> guess the correct name.
>> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
>>
>> The guest policy (at least my modified version) does not allow access to
>> files labelled httpd_user_script_exec_t.
>>
>> I'll keep putzing with this.
> 
> I have it working now. In the end I needed to give both execute and
> execute_no_trans permission for tom_t running httpd_sys_script_exec_t.
> 
> The allow_xguest_exec_content and allow_guest_exec_content booleans
> didn't seem to make a difference.
> 
> Going forward I might want to spend the time to dial this policy back
> as I am executing the scripts with those types as an unconfined user
> (or perhaps I should use the user_u role) and I'd like to prevent tom_t
> from changing them (or replacing the files) with selinux.
> 
> I was having trouble finding what the manage_files_pattern and
> manage_dirs_pattern macros expand to and exactly what functions some
> of the permissions allow. Is there any good documentation of these things
> online?

A couple of things, people have asked for the ability to stop the
execution of programs in the homedir.  So the least priv app does not
have the ability to execute content.  Since xguest has the ability to
execute perl, sh, python and other interpreters, the value of shutting
down execution in the homedir is questionable.  This means
~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work.  The
blocking of execution does work for all compiled code.

The policy is for the boolean allows the execution of user_home_t, but
not other labeled file in the homedir, which is a bug.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkqywcACgkQrlYvE4MpobNYZQCfYVlEjsxEouyMpe2yJgxnZEOV
7QcAn0Ys5OU0YLQU75I4fFaRFmzK11Ec
=GyTO
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list