Apache 2 file contexts

Apache 2 file contexts

[Tom]

Having just installed Apache 2 (from the sid Debian packages) on my
SELinux test system, I found that it works flawless once some additions
to the apache.fc file have been made. Here's a preliminary patch, I
haven't yet experimented with CGIs, vhosts and SSL:


*** /usr/share/selinux/policy/default/file_contexts/program/apache.fc   Wed Oct  2 02:12:59 2002
--- apache.fc   Tue Oct  8 17:54:13 2002
***************
*** 9,22 ****
  /etc/httpd/conf(/.*)?         system_u:object_r:httpd_config_t
  /etc/httpd/logs                       system_u:object_r:httpd_log_files_t
  /etc/httpd/modules            system_u:object_r:httpd_modules_t
  /usr/lib/apache(/.*)?         system_u:object_r:httpd_modules_t
  /usr/sbin/httpd                       system_u:object_r:httpd_exec_t
  /usr/sbin/apache              system_u:object_r:httpd_exec_t
  /usr/sbin/suexec              system_u:object_r:httpd_suexec_exec_t
  /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? system_u:object_r:httpd_suexec_exec_t
  /usr/lib/apache/suexec                system_u:object_r:httpd_suexec_exec_t
  /var/log/httpd(/.*)?          system_u:object_r:httpd_log_files_t
! /var/log/apache(/.*)?         system_u:object_r:httpd_log_files_t
  /var/log/cgiwrap.log.*                system_u:object_r:httpd_log_files_t
  /var/cache/ssl.*\.sem         system_u:object_r:httpd_cache_t
! /var/run/apache.pid.*         system_u:object_r:httpd_var_run_t
--- 9,28 ----
  /etc/httpd/conf(/.*)?         system_u:object_r:httpd_config_t
  /etc/httpd/logs                       system_u:object_r:httpd_log_files_t
  /etc/httpd/modules            system_u:object_r:httpd_modules_t
+ /etc/apache(2)?(/.*)?         system_u:object_r:httpd_config_t
+ /etc/vhosts                   system_u:object_r:httpd_config_t
+ /usr/lib/cgi-bin(/.*)?                system_u:object_r:httpd_sys_script_t
  /usr/lib/apache(/.*)?         system_u:object_r:httpd_modules_t
+ /usr/lib/apache2/modules(/.*)?        system_u:object_r:httpd_modules_t
  /usr/sbin/httpd                       system_u:object_r:httpd_exec_t
  /usr/sbin/apache              system_u:object_r:httpd_exec_t
+ /usr/sbin/apache2             system_u:object_r:httpd_exec_t
  /usr/sbin/suexec              system_u:object_r:httpd_suexec_exec_t
+ /usr/lib/apache2/suexec2      system_u:object_r:httpd_suexec_exec_t
  /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? system_u:object_r:httpd_suexec_exec_t
  /usr/lib/apache/suexec                system_u:object_r:httpd_suexec_exec_t
  /var/log/httpd(/.*)?          system_u:object_r:httpd_log_files_t
! /var/log/apache(2)?(/.*)?     system_u:object_r:httpd_log_files_t
  /var/log/cgiwrap.log.*                system_u:object_r:httpd_log_files_t
  /var/cache/ssl.*\.sem         system_u:object_r:httpd_cache_t
! /var/run/apache(2)?.pid.*     system_u:object_r:httpd_var_run_t


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache 2 file contexts

[Russell Coker]

On Tue, 8 Oct 2002 16:00, Tom wrote:
> Having just installed Apache 2 (from the sid Debian packages) on my
> SELinux test system, I found that it works flawless once some additions
> to the apache.fc file have been made. Here's a preliminary patch, I
> haven't yet experimented with CGIs, vhosts and SSL:

Good work!  You not only got it working with apache2 but fixed a couple of 
things I missed in getting it to work properly with Debian!

If you'd like to make Apache your thing then you could start working on the 
policy for Apache, there's quite a few things that could be improved.  For 
starters a set of macros for different features commonly used with Apache 
would be good.  Something like define(`apache_php') for using PHP, etc would 
be really handy to have.  Also we'll probably need support for multiple user 
domains for cgi-bin scripts.

Apache policy would be a starter project for someone who wants to get 
seriously involved in SE Linux (I think that you do).  The Apache policy was 
written in the early days and hasn't benefited from the re-writes that have 
covered most of the other policy.  I haven't done anything serious with it as 
it's functional enough that I was not forced to, but ugly enough that I 
didn't want to...

Anyway I've updated my tree with the equivalent code to your patch (I've 
changed the order a bit but it's essentially what you wrote).  I'll send in a 
patch to Steve tomorrow.

> + /etc/vhosts                   system_u:object_r:httpd_config_t

What is /etc/vhosts?  I've never used Apache2...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache 2 file contexts

[Tom]

On Tue, Oct 08, 2002 at 07:06:13PM +0200, Russell Coker wrote:
> Good work!  You not only got it working with apache2 but fixed a couple of 
> things I missed in getting it to work properly with Debian!

Thought so, but I wasn't sure. :)


> If you'd like to make Apache your thing then you could start working on the 
> policy for Apache, there's quite a few things that could be improved.  For 
> starters a set of macros for different features commonly used with Apache 
> would be good.  Something like define(`apache_php') for using PHP, etc would 
> be really handy to have.  Also we'll probably need support for multiple user 
> domains for cgi-bin scripts.

I will definitely work further on Apache, especially the PHP/CGI part
and interaction with proftpd (so users can upload stuff and it
automatically gets the right types).


> Anyway I've updated my tree with the equivalent code to your patch (I've 
> changed the order a bit but it's essentially what you wrote).  I'll send in a 
> patch to Steve tomorrow.
> 
> > + /etc/vhosts                   system_u:object_r:httpd_config_t
> 
> What is /etc/vhosts?  I've never used Apache2...

I have no idea, actually. I've just started working with Apache2. I
will find out soon, though, and then decide if it warrants its own
type.
(I know for sure that it's part of Apache2)


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache 2 file contexts

[Tom]

Apache2 requires some weird socket access, that I traced to the
following (by disabling all the dontaudits in the apache.te):

Oct  9 19:16:20 nsa2 kernel: avc:  denied  { read } for  pid=5347 exe=/usr/sbin/apache2 path=/1 dev=00:07 ino=3 scontext=system_u:system_r:httpd_t tcontext=tom:object_r:sysadm_devpts_t tclass=chr_file

piping that into newrules tells me:

allow httpd_t sysadm_devpts_t:chr_file { read };


Which to my (still somewhat green) ears doesn't sound like a
tremendously great idea.
It uses this only during startup, so I'm not entirely sure what it's
doing. Anyone else played with Apache2 already?


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Apache 2 file contexts

[Russell Coker]

On Wed, 9 Oct 2002 17:25, Tom wrote:
> Apache2 requires some weird socket access, that I traced to the
> following (by disabling all the dontaudits in the apache.te):
>
> Oct  9 19:16:20 nsa2 kernel: avc:  denied  { read } for  pid=5347
> exe=/usr/sbin/apache2 path=/1 dev=00:07 ino=3
> scontext=system_u:system_r:httpd_t tcontext=tom:object_r:sysadm_devpts_t
> tclass=chr_file
>
> piping that into newrules tells me:
>
> allow httpd_t sysadm_devpts_t:chr_file { read };

Most daemons do that.  This is because they inherit file handles 0, 1, and 2 
(stdin, stdout, stderr) from the shell.  Some daemons can survive without 
such access, but many (most) can't.

In my tree for many daemons I have something like the following:
allow daemon_t admin_tty_type:chr_file { read write };

I am going to devise a different solution to this, see the list archives for 
my previous messages on the topic.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.