Re: request for review of httpd-related Boolean definitions

[m <maximilianbianco@gmail.com>]

Dominick Grift wrote:
> On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote:
> 
> I am going to use this thread to just share any thoughts i have with regards to this
>> o  allow_httpd_anon_write
>> This Boolean is off by default, allowing httpd only read access to
>> files labeled with the public_content_rw_t type. Enabling this Boolean
>> will allow httpd to write to files labeled with the public_content_rw_t
>> type, such as a public directory containing files for a public file
>> transfer service. 
> 
> 
>> o  allow_httpd_mod_auth_ntlm_winbind
>> This Boolean is off by default. Enabling it will allow access to NTLM
>> and Winbind authentication mechanisms via the mod_auth_ntlm_winbind
>> module in httpd. 
>>
>> o  allow_httpd_mod_auth_pam
>> This Boolean is off by default. Enabling it will allow access to PAM
>> authentication mechanisms via the mod_auth_pam module in httpd.
>>
>> o  allow_httpd_sys_script_anon_write
>> This Boolean is off by default. It defines whether or not HTTP scripts
>> are allowed write access to files labeled with the public_content_rw_t
>> type, as used in a public file transfer service.
>>
>> o  httpd_builtin_scripting 
>> This Boolean is on by default, allowing httpd scripting. Having this
>> Boolean enabled is often required for PHP content.
> 
> It allows: 
> 
> 1. httpd_t to manage templated httpd rw content,
> 2. httpd_t to read templated httpd ra content,
> 3. httpd_t to read templated httpd content,
> 
> # Allow the web server to run scripts and serve pages
> tunable_policy(`httpd_builtin_scripting',`
> 	manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
> $1_content_rw_t)
> 	manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
> $1_content_rw_t)
> 	manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
> $1_content_rw_t)
> 	rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
> $1_content_rw_t)
> 
> 	allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
> add_entry_dir_perms };
> 	read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
> $1_content_ra_t)
> 	append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
> $1_content_ra_t)
> 	read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
> $1_content_ra_t)
> 
> 	allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
> 	read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
> 
> 	allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
> 	read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
> ')
> 
> I think this is a bug in policy or atleast that this boolean is too
> coarse
> 
> with this boolean set to false: httpd_t cannot read
> httpd_user_content_t. Basically what it means is that you cannot use
> httpd userdirs (httpd_enable_userdirs) without scripting enabled.
> 
>> o  httpd_can_network_connect
>> This Boolean is off by default, preventing HTTP scripts and modules
>> from initiating a connection to a network or remote port. Turn this
>> Boolean on to allow this access. 
>>
>> o  httpd_can_network_connect_db
>> This Boolean is off by default, preventing HTTP scripts and modules
>> from initiating a connection to database servers. Turn this Boolean on
>> to allow this access. 
>>
>> o  httpd_can_network_relay
>> Turn this Boolean on when httpd is being used as a forward or
>> reverse proxy. 
>>
>> o  httpd_can_sendmail
>> This Boolean is off by default, preventing HTTP modules from sending
>> mail. This can prevent spam attacks should a vulnerability be found in
>> httpd. Turn this Boolean on to allow HTTP modules to send mail.
>>
>> o  httpd_dbus_avahi
>> This Boolean is off by default, denying httpd access to the avahi
>> service via dbus. Turn this Boolean on to allow this access.
>>
>> o  httpd_enable_cgi
>> By default, SELinux prevents httpd from executing CGI scripts. Turn
>> this Boolean on to allow httpd to execute CGI scripts (CGI scripts must
>> be labeled with the httpd_sys_script_exec_t type).
> 
> 1. It creates an entrypoint for templated httpd domains and their
> executable files
> 
> 2. It allow httpd_t to domain transition to templated httpd domains
> 
> 3. it allows templated httpd domains basic permissions to run.
> 
> tunable_policy(`httpd_enable_cgi',`
> 	allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
> 
> 	# privileged users run the script:
> 	domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_
> $1_script_t)
> 
> 	allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
> 
> 	# apache runs the script:
> 	domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
> 
> 	allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
> 
> 	allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
> 	allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
> 
> 	allow httpd_$1_script_t self:process { setsched signal_perms };
> 	allow httpd_$1_script_t self:unix_stream_socket
> create_stream_socket_perms;
> 
> 	allow httpd_$1_script_t httpd_t:fd use;
> 	allow httpd_$1_script_t httpd_t:process sigchld;
> 
> 	kernel_read_system_state(httpd_$1_script_t)
> 
> 	dev_read_urand(httpd_$1_script_t)
> 
> 	fs_getattr_xattr_fs(httpd_$1_script_t)
> 
> 	files_read_etc_runtime_files(httpd_$1_script_t)
> 	files_read_usr_files(httpd_$1_script_t)
> 
> 	libs_read_lib_files(httpd_$1_script_t)
> 
> 	miscfiles_read_localization(httpd_$1_script_t)
> 	')
> 
> So it is not only for httpd_sys_script_exec_t but for example also
> httpd_user_script_exec_t or any other httpd domain create with
> apache_content_template or declared as apache_domain()
> 
> Also it is specifically responsible for domain transitions.
> 
> 
>> o  httpd_enable_ftp_server
>> Turning this Boolean on will allow httpd to listen on the FTP port and
>> act as an FTP server. 
>>
>> o  httpd_enable_homedirs
>> By default, SELinux prevents httpd from accessing user home
>> directories. Turn this Boolean on to allow httpd access to user home
>> directories, for example, /home/*/public_html/. 
> 
> All it does is allow httpd_t to search /home/*/ for httpd content
> 
> tunable_policy(`httpd_enable_homedirs',`
> 	userdom_search_user_home_dirs(httpd_t)
> 	userdom_search_user_home_dirs(httpd_suexec_t)
> 	userdom_search_user_home_dirs(httpd_user_script_t)
> ')
> 
> This does not actually allow httpd_t to read httpd_user_content_t
> ( requires the httpd_builtin_scripting boolean to be set )
> 
>> o  httpd_execmem
> 
> tunable_policy(`httpd_execmem',`
> 	allow httpd_t self:process { execmem execstack };
> 	allow httpd_sys_script_t self:process { execmem execstack };
> 	allow httpd_suexec_t self:process { execmem execstack };
> ') 
> 
> Note that is also allows execstack.
> Note that it allows it also for httpd_sys_script_t
> Note that it *does not* allow it for httpd_user_script_t ( or any other
> templated httpd script)

I think here he is looking to understand what exactly execmem allows. My 
understanding is that it allows memory to be both writeable and 
executable which is a no no but often required because of some 
questionable programming practices. Please correct me if I am wrong but 
if the above is correct then this allows the webserver to make memory 
both writeable and executable, something that should be avoided.

>> o  httpd_ssi_exec
>> Off by default, this Boolean makes sure that httpd can only execute
>> shell scripts that have the shell_exec_t type assigned to them.
>> Enabling this Boolean will allow httpd to execute any script.
>>
>> o  httpd_tty_comm
>> This Boolean defines whether or not httpd is allowed access to the
>> controlling terminal. Usually this access is not required; however in
>> cases such as configuring an SSL certificate file, terminal access is
>> required to display and process a password prompt. 
>>
>> o  httpd_unified
>> This Boolean is off by default, turning it on will allow all httpd
>> executables to have full access to all content labeled with http file
>> context. Leaving it off ensures that one httpd service can not
>> interfere with another, limiting the opportunity for privilege
>> escalation vulnerability.
> 
> I think this boolean needs a good thorough review.
> I do not think it works properly but i might be wrong
> 
>> o  httpd_use_cifs 
>> Turn this Boolean on to allow httpd access to files on CIFS file
>> systems that are labeled with the cifs_t type, such as file systems
>> mounted via Samba. 
>>
>> o  httpd_use_nfs
>> Turn this Boolean on to allow httpd access to files on NFS file systems
>> that are labeled with the nfs_t type, such as file systems mounted via
>> NFS.
>>
>>
>> All comments are more than welcome! Again, thank you.
>>
>>
>>
>> [1] - https://fedorahosted.org/managing-confined-services/
>> [2] - http://people.redhat.com/drepper/selinux-mem.html
>>
>>
>> Cheers,
>>
>>
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 


-- 
"Any fool can know. The point is to understand" --Albert Einstein

Bored??
http://fiction.wikia.com/wiki/Fuqwit1.0

http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.