From: Dominick Grift <domg472@gmail.com>
To: Scott Radvan <sradvan@redhat.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: request for review of httpd-related Boolean definitions
Date: Tue, 31 Mar 2009 12:30:18 +0200 [thread overview]
Message-ID: <1238495418.3465.69.camel@notebook2.grift.internal> (raw)
In-Reply-To: <20090331151638.770627cb@redhat.com>
On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote:
I am going to use this thread to just share any thoughts i have with regards to this
>
> o allow_httpd_anon_write
> This Boolean is off by default, allowing httpd only read access to
> files labeled with the public_content_rw_t type. Enabling this Boolean
> will allow httpd to write to files labeled with the public_content_rw_t
> type, such as a public directory containing files for a public file
> transfer service.
> o allow_httpd_mod_auth_ntlm_winbind
> This Boolean is off by default. Enabling it will allow access to NTLM
> and Winbind authentication mechanisms via the mod_auth_ntlm_winbind
> module in httpd.
>
> o allow_httpd_mod_auth_pam
> This Boolean is off by default. Enabling it will allow access to PAM
> authentication mechanisms via the mod_auth_pam module in httpd.
>
> o allow_httpd_sys_script_anon_write
> This Boolean is off by default. It defines whether or not HTTP scripts
> are allowed write access to files labeled with the public_content_rw_t
> type, as used in a public file transfer service.
>
> o httpd_builtin_scripting
> This Boolean is on by default, allowing httpd scripting. Having this
> Boolean enabled is often required for PHP content.
It allows:
1. httpd_t to manage templated httpd rw content,
2. httpd_t to read templated httpd ra content,
3. httpd_t to read templated httpd content,
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
')
I think this is a bug in policy or atleast that this boolean is too
coarse
with this boolean set to false: httpd_t cannot read
httpd_user_content_t. Basically what it means is that you cannot use
httpd userdirs (httpd_enable_userdirs) without scripting enabled.
> o httpd_can_network_connect
> This Boolean is off by default, preventing HTTP scripts and modules
> from initiating a connection to a network or remote port. Turn this
> Boolean on to allow this access.
>
> o httpd_can_network_connect_db
> This Boolean is off by default, preventing HTTP scripts and modules
> from initiating a connection to database servers. Turn this Boolean on
> to allow this access.
>
> o httpd_can_network_relay
> Turn this Boolean on when httpd is being used as a forward or
> reverse proxy.
>
> o httpd_can_sendmail
> This Boolean is off by default, preventing HTTP modules from sending
> mail. This can prevent spam attacks should a vulnerability be found in
> httpd. Turn this Boolean on to allow HTTP modules to send mail.
>
> o httpd_dbus_avahi
> This Boolean is off by default, denying httpd access to the avahi
> service via dbus. Turn this Boolean on to allow this access.
>
> o httpd_enable_cgi
> By default, SELinux prevents httpd from executing CGI scripts. Turn
> this Boolean on to allow httpd to execute CGI scripts (CGI scripts must
> be labeled with the httpd_sys_script_exec_t type).
1. It creates an entrypoint for templated httpd domains and their
executable files
2. It allow httpd_t to domain transition to templated httpd domains
3. it allows templated httpd domains basic permissions to run.
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_
$1_script_t)
allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
')
So it is not only for httpd_sys_script_exec_t but for example also
httpd_user_script_exec_t or any other httpd domain create with
apache_content_template or declared as apache_domain()
Also it is specifically responsible for domain transitions.
> o httpd_enable_ftp_server
> Turning this Boolean on will allow httpd to listen on the FTP port and
> act as an FTP server.
>
> o httpd_enable_homedirs
> By default, SELinux prevents httpd from accessing user home
> directories. Turn this Boolean on to allow httpd access to user home
> directories, for example, /home/*/public_html/.
All it does is allow httpd_t to search /home/*/ for httpd content
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_t)
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
This does not actually allow httpd_t to read httpd_user_content_t
( requires the httpd_builtin_scripting boolean to be set )
> o httpd_execmem
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
Note that is also allows execstack.
Note that it allows it also for httpd_sys_script_t
Note that it *does not* allow it for httpd_user_script_t ( or any other
templated httpd script)
>
> o httpd_ssi_exec
> Off by default, this Boolean makes sure that httpd can only execute
> shell scripts that have the shell_exec_t type assigned to them.
> Enabling this Boolean will allow httpd to execute any script.
>
> o httpd_tty_comm
> This Boolean defines whether or not httpd is allowed access to the
> controlling terminal. Usually this access is not required; however in
> cases such as configuring an SSL certificate file, terminal access is
> required to display and process a password prompt.
>
> o httpd_unified
> This Boolean is off by default, turning it on will allow all httpd
> executables to have full access to all content labeled with http file
> context. Leaving it off ensures that one httpd service can not
> interfere with another, limiting the opportunity for privilege
> escalation vulnerability.
I think this boolean needs a good thorough review.
I do not think it works properly but i might be wrong
> o httpd_use_cifs
> Turn this Boolean on to allow httpd access to files on CIFS file
> systems that are labeled with the cifs_t type, such as file systems
> mounted via Samba.
>
> o httpd_use_nfs
> Turn this Boolean on to allow httpd access to files on NFS file systems
> that are labeled with the nfs_t type, such as file systems mounted via
> NFS.
>
>
> All comments are more than welcome! Again, thank you.
>
>
>
> [1] - https://fedorahosted.org/managing-confined-services/
> [2] - http://people.redhat.com/drepper/selinux-mem.html
>
>
> Cheers,
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-03-31 10:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-31 5:16 request for review of httpd-related Boolean definitions Scott Radvan
2009-03-31 10:30 ` Dominick Grift [this message]
2009-03-31 14:42 ` m
2009-04-06 17:53 ` Daniel J Walsh
2009-04-06 17:55 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1238495418.3465.69.camel@notebook2.grift.internal \
--to=domg472@gmail.com \
--cc=selinux@tycho.nsa.gov \
--cc=sradvan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.