Newbie Q

Dominick Grift domg472 at gmail.com
Sat Mar 21 11:15:19 UTC 2009 

On Fri, 2009-03-20 at 23:12 +0000, Aaron Gray wrote:
> > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
> >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run 
> >> on
> >> Apache. Runs fine in permissive mode not in enforcing.
> >>
> >> I bought the O'Reilly SE Linux book and learned the basics but it does 
> >> not
> >> really seem to help me on Fedora.
> >>
> >> there was no /var/log/kernel so I tried /var/log/secure with the 
> >> following
> >> command sequence
> >>
> >>     setenforce 0
> >>
> >>     # access the cgi from the web
> >>
> >>     setenforce 1
> >>
> >>     audit2allow -l -i /var/log/secure
> >>
> >> What is strange also is the system is not flagging things up as a
> >> notification icon anymore in enforcing mode.
> >>
> >> If someone could guide me or push me in the right direction I would be 
> >> most
> >> thankful.
> > auditd logs to /var/log/audit/audit.log
> >
> > To use cgi you must set the boolean httpd_enable_cgi.
> 
> Great GIT on Apache running now !:) Thanks
> 
> But not accessing the repositories, looks like a script is needed.
> 
> > Then either label the cgi type httpd_sys_script_exec_t or create a
> > custom domain for your script:
> >
> > mkdir myscript; cd myscript;
> > echo "policy_module(myscript, 0.0.1)" > myscript.te
> > echo "apache_content_template(myscript)" >> myscript.te
> > echo "/var/www/cgi-bin/myscript.pl --
> > gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" >
> > myscript.fc
> >
> > make -f /usr/share/selinux/devel/Makefile
> > semodule -i myscript.pp
> > restorecon -R -v /var/www/cgi-bin/myscript.pl
> 
> This is interesting. command line, thanks, interesting I will have to learn 
> this stuff on the command line to understand it properly.
> 
> > This is just a base module you will likely need to extend it. you can do
> > so why making the httpd_myscript_script_t permissive and then extend
> > your source policy with any rules required frpm audit.log/audit2why
> >
> > semanage permissive -a httpd_myscript_script_t
> 
> Nice :)
> 
> > ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow
> > -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule
> > -i myscript.pp
> 
> This might just do the job !
> 
> > semanage permissive -d httpd_myscript_script_t
> >
> > (to remove the permissive domain)
> 
> Is there any reason not to be using setenforce 0/1, on a machine behind 
> firewall.

What makes you think that the security threat only comes from the
network? There might be a rogue program local to the system, and if you
setenforce 0 , you allow everything. not what i would want.

by using semanage permissive -a <domain> you only allow a specific
domain to run in permissive mode. This minimizes the risks and it
conforms to SELinux least privilege philosophy.

> I will try this. Looks like theres a need of a good howto that shows how 
> simple these things can be.
> 
> Many thanks Dominick
> 
> Aaron
>

More information about the fedora-selinux-list mailing list