mediawiki AVC
Dominick Grift
domg472 at gmail.com
Wed Mar 11 17:40:47 UTC 2009
On Wed, 2009-03-11 at 10:01 -0700, Vadym Chepkov wrote:
> Hello,
>
> mediawiki software has a following script, ImageMagick gets invoked using it:
>
> $ cat /var/www/mediawiki/bin/ulimit4.sh
> #!/bin/bash
>
> ulimit -t $1 -v $2 -f $3
> eval "$4"
>
>
> I added
> /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0
>
> into local policy. I receive the following AVC denial:
>
> type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
>
> audit2allow suggests the following:
>
> allow httpd_sys_script_t httpd_t:file read;
>
> but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion?
Looks like it wants to read some httpd process info. As far as i am
concerned you can allow this access with a local policy:
echo "avc: denied { read } for pid=22724 comm="ulimit4.sh"
path="eventpoll:[10101538]" dev=eventpollfs ino=10101538
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=file" | audit2allow -M
myhttpdsysscript; /usr/sbin/semodule -i myhttpdsysscript.pp
Mind the line breaks.
to undo:semodule -r myhttpdsysscript
You can also run this script in a unique domain. This would require you
to write policy for it. Something like:
mkdir ~/mediawikiscript; cd ~/mediawikiscript;
echo "policy_module(mediawikiscript, 0.0.1)" > mediawikiscript.te
echo "apache_content_template(mediawikiscript) >> mediawikiscript.te
echo "allow httpd_mediawikiscript_script_t httpd_t:file read;"
echo "/var/www/mediawiki/bin/.*
gen_context(system_u:object_r:httpd_mediawikiscript_script_exec_t" >
mediawikiscript.fc
(watch the line breaks)
make -f /usr/share/selinux/devel/Makefile
semodule -i mediawikiscript.pp
restorecon -R -v /var/www/mediawiki/bin/
> Thank you.
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list