* runcon problems
@ 2007-03-27 0:25 Yong Lee
2007-04-03 14:52 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Yong Lee @ 2007-03-27 0:25 UTC (permalink / raw)
To: selinux
[-- Attachment #1.1: Type: text/plain, Size: 1835 bytes --]
Hi all,
I'm rather new to selinux and was hoping that someone could help me with a
problem I am having. I'm running on redhat WS 4 2.6.9-42. I'm trying to
get a php based web application to make a system call to do a java compile.
I was getting a bunch of avc issues trying to do this and rather than try to
change the selinux policy I was hoping to make use of the runcon command to
run a script which would do my java compile call.
So I have a script that looks something like this :
#!/bin/sh
exec /usr/bin/java -jar $2 $3 $4 $5
and I'm trying to call it using a system call from php :
/usr/bin/runcon /home/test/runjava a b c d
denied { write } for pid=727 comm="runcon" name="exec" dev=proc
ino=47644693 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=file
when I edit my targeted policy and recompile to allow the write on exec, I
get :
Mar 26 16:54:14 localhost kernel: audit(1174953254.268:1216): avc: denied
{ setexec } for pid=1097 comm="runcon"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
I was going to add
allow httpd_sys_script_t self:process setexec;
to the policy rules but I'm thinking that this may not be a good idea and
there must be a better way to get this done. I'm hoping that some of u
gurus with a lot more experience in this area could help shed some light on
the best way of allowing my php script to successfully call the java binary
without making so many changes to the existing selinux policy.
thanks,
Yong.
Yong Lee
Developer
ylee@EQO.com
<http://www.eqo.com/>
direct: +1.604.273.8173 x113
mobile: +1.604.418.4470
fax: +1.604.273.8172
web: www.EQO.com <http://www.eqo.com/>
EQO ID: yonglee
[-- Attachment #1.2: Type: text/html, Size: 9840 bytes --]
[-- Attachment #2: image001.jpg --]
[-- Type: image/jpeg, Size: 1823 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: runcon problems
2007-03-27 0:25 runcon problems Yong Lee
@ 2007-04-03 14:52 ` Daniel J Walsh
2007-04-04 0:38 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-04-03 14:52 UTC (permalink / raw)
To: Yong Lee; +Cc: selinux
Yong Lee wrote:
>
> Hi all,
>
> I’m rather new to selinux and was hoping that someone could help me
> with a problem I am having. I’m running on redhat WS 4 2.6.9-42. I’m
> trying to get a php based web application to make a system call to do
> a java compile. I was getting a bunch of avc issues trying to do this
> and rather than try to change the selinux policy I was hoping to make
> use of the runcon command to run a script which would do my java
> compile call.
>
> So I have a script that looks something like this :
>
> #!/bin/sh
>
> exec /usr/bin/java –jar $2 $3 $4 $5
>
> and I’m trying to call it using a system call from php :
>
> /usr/bin/runcon /home/test/runjava a b c d
>
> denied { write } for pid=727 comm="runcon" name="exec" dev=proc
> ino=47644693 scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=file
>
> when I edit my targeted policy and recompile to allow the write on
> exec, I get :
>
> Mar 26 16:54:14 localhost kernel: audit(1174953254.268:1216): avc:
> denied { setexec } for pid=1097 comm="runcon"
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=process
>
> I was going to add
>
> allow httpd_sys_script_t self:process setexec;
>
> to the policy rules but I’m thinking that this may not be a good idea
> and there must be a better way to get this done. I’m hoping that some
> of u gurus with a lot more experience in this area could help shed
> some light on the best way of allowing my php script to successfully
> call the java binary without making so many changes to the existing
> selinux policy.
>
Confined apps can not use the runcon process. You have two choices.
1. Either add rules to a local.te file
2. turn off confinement for your cgi script.
chcon -t httpd_unconfined_script_exec_t PATHTOCGI
In RHEL5 you could:
1. Build a policy for your cgi script to be able to run the java compiler.
Create a te file that looks like
#cat javacgi.te
policy_module(javacgi,1.0.0)
########################################
#
# Declarations
#
apache_content_template(javacgi)
Create an fc file that looks like:
# cat javacgi.fc
/var/www/cgi-bin/javacgi.cgi --
gen_context(system_u:object_r:httpd_javacgi_script_exec_t,s0)
Compile them and load the policy
# make -f /usr/share/selinux/devel/Makefile
# semodule -i javacgi.pp
# restorecon /var/www/cgi-bin/javacgi.cgi
Go to permissive mode
#setenforce 0
Run your cgi tests.
Use audit2allow -R to generate appropriate allow rules
# grep javacgi /var/log/audit/audit.log | audit2allow -R >> javacgi.te
# make -f /usr/share/selinux/devel/Makefile
# semodule -i javacgi.pp
Turn back on enforcing mode
# setenforce 1
> thanks,
>
> Yong.
>
> Yong Lee
>
> Developer
>
> ylee@EQO.com <mailto:ylee@EQO.com>
>
> <http://www.eqo.com/>
>
> direct: +1.604.273.8173 x113
>
> mobile: +1.604.418.4470
>
> fax: +1.604.273.8172
>
> web: www.EQO.com <http://www.eqo.com/>
>
> EQO ID: yonglee
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: runcon problems
2007-04-03 14:52 ` Daniel J Walsh
@ 2007-04-04 0:38 ` Russell Coker
0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2007-04-04 0:38 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Yong Lee, selinux
On Wednesday 04 April 2007 00:52, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Confined apps can not use the runcon process. You have two choices.
I have to be pedantic here.
Confined apps can use runcon if their policy permits them to do so. An
example of an application that is permitted to spawn children in a different
context is crond. Currently it's not supported for cgi-bin scripts, but a
policy module could allow this.
Writing policy to allow a cgi-bin script to run another program in a different
domain may be useful on occasion. It's easier to have an automatic
transition as you suggest, but calling runcon from a cgi-bin script is not
necessarily a bad idea.
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-04 10:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-27 0:25 runcon problems Yong Lee
2007-04-03 14:52 ` Daniel J Walsh
2007-04-04 0:38 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.