Re: runcon problems

[Daniel J Walsh <dwalsh@redhat.com>]

Yong Lee wrote:
>
> Hi all,
>
> I’m rather new to selinux and was hoping that someone could help me 
> with a problem I am having. I’m running on redhat WS 4 2.6.9-42. I’m 
> trying to get a php based web application to make a system call to do 
> a java compile. I was getting a bunch of avc issues trying to do this 
> and rather than try to change the selinux policy I was hoping to make 
> use of the runcon command to run a script which would do my java 
> compile call.
>
> So I have a script that looks something like this :
>
> #!/bin/sh
>
> exec /usr/bin/java –jar $2 $3 $4 $5
>
> and I’m trying to call it using a system call from php :
>
> /usr/bin/runcon /home/test/runjava a b c d
>
> denied { write } for pid=727 comm="runcon" name="exec" dev=proc 
> ino=47644693 scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:system_r:httpd_sys_script_t tclass=file
>
> when I edit my targeted policy and recompile to allow the write on 
> exec, I get :
>
> Mar 26 16:54:14 localhost kernel: audit(1174953254.268:1216): avc: 
> denied { setexec } for pid=1097 comm="runcon" 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:system_r:httpd_sys_script_t tclass=process
>
> I was going to add
>
> allow httpd_sys_script_t self:process setexec;
>
> to the policy rules but I’m thinking that this may not be a good idea 
> and there must be a better way to get this done. I’m hoping that some 
> of u gurus with a lot more experience in this area could help shed 
> some light on the best way of allowing my php script to successfully 
> call the java binary without making so many changes to the existing 
> selinux policy.
>
Confined apps can not use the runcon process. You have two choices.

1. Either add rules to a local.te file
2. turn off confinement for your cgi script.
chcon -t httpd_unconfined_script_exec_t PATHTOCGI

In RHEL5 you could:
1. Build a policy for your cgi script to be able to run the java compiler.

Create a te file that looks like
#cat javacgi.te
policy_module(javacgi,1.0.0)

########################################
#
# Declarations
#

apache_content_template(javacgi)

Create an fc file that looks like:
# cat javacgi.fc
/var/www/cgi-bin/javacgi.cgi -- 
gen_context(system_u:object_r:httpd_javacgi_script_exec_t,s0)

Compile them and load the policy

# make -f /usr/share/selinux/devel/Makefile
# semodule -i javacgi.pp
# restorecon /var/www/cgi-bin/javacgi.cgi

Go to permissive mode

#setenforce 0

Run your cgi tests.

Use audit2allow -R to generate appropriate allow rules

# grep javacgi /var/log/audit/audit.log | audit2allow -R >> javacgi.te
# make -f /usr/share/selinux/devel/Makefile
# semodule -i javacgi.pp

Turn back on enforcing mode

# setenforce 1


> thanks,
>
> Yong.
>
> Yong Lee
>
> Developer
>
> ylee@EQO.com <mailto:ylee@EQO.com>
>
> <http://www.eqo.com/>
>
> direct: +1.604.273.8173 x113
>
> mobile: +1.604.418.4470
>
> fax: +1.604.273.8172
>
> web: www.EQO.com <http://www.eqo.com/>
>
> EQO ID: yonglee
>




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.