* request for review of httpd-related Boolean definitions @ 2009-03-31 5:16 Scott Radvan 2009-03-31 10:30 ` Dominick Grift 0 siblings, 1 reply; 5+ messages in thread From: Scott Radvan @ 2009-03-31 5:16 UTC (permalink / raw) To: selinux Hi all, I am working on a Fedora 11 guide [1] on managing confined services using SELinux, and I am currently attempting to expand on the descriptions of the available Booleans. Currently looking at the httpd-related Booleans, one I am having particular problems with is httpd_execmem. I am so far unable to find a simple description of what this Boolean is and what having it enabled/disabled actually causes/stops. I have looked at the manpages, sesearch, semanage and system-config-selinux - none of which say a lot regarding it, and online resources such as [2] I must admit go largely over my head! Any brief-ish description of httpd_execmem anybody on this list can provide would be great. Further to that, below I have listed the descriptions that I have so far of each of the httpd-related Booleans. I would greatly appreciate any input or review of them at all to ensure that these brief descriptions are accurate. o allow_httpd_anon_write This Boolean is off by default, allowing httpd only read access to files labeled with the public_content_rw_t type. Enabling this Boolean will allow httpd to write to files labeled with the public_content_rw_t type, such as a public directory containing files for a public file transfer service. o allow_httpd_mod_auth_ntlm_winbind This Boolean is off by default. Enabling it will allow access to NTLM and Winbind authentication mechanisms via the mod_auth_ntlm_winbind module in httpd. o allow_httpd_mod_auth_pam This Boolean is off by default. Enabling it will allow access to PAM authentication mechanisms via the mod_auth_pam module in httpd. o allow_httpd_sys_script_anon_write This Boolean is off by default. It defines whether or not HTTP scripts are allowed write access to files labeled with the public_content_rw_t type, as used in a public file transfer service. o httpd_builtin_scripting This Boolean is on by default, allowing httpd scripting. Having this Boolean enabled is often required for PHP content. o httpd_can_network_connect This Boolean is off by default, preventing HTTP scripts and modules from initiating a connection to a network or remote port. Turn this Boolean on to allow this access. o httpd_can_network_connect_db This Boolean is off by default, preventing HTTP scripts and modules from initiating a connection to database servers. Turn this Boolean on to allow this access. o httpd_can_network_relay Turn this Boolean on when httpd is being used as a forward or reverse proxy. o httpd_can_sendmail This Boolean is off by default, preventing HTTP modules from sending mail. This can prevent spam attacks should a vulnerability be found in httpd. Turn this Boolean on to allow HTTP modules to send mail. o httpd_dbus_avahi This Boolean is off by default, denying httpd access to the avahi service via dbus. Turn this Boolean on to allow this access. o httpd_enable_cgi By default, SELinux prevents httpd from executing CGI scripts. Turn this Boolean on to allow httpd to execute CGI scripts (CGI scripts must be labeled with the httpd_sys_script_exec_t type). o httpd_enable_ftp_server Turning this Boolean on will allow httpd to listen on the FTP port and act as an FTP server. o httpd_enable_homedirs By default, SELinux prevents httpd from accessing user home directories. Turn this Boolean on to allow httpd access to user home directories, for example, /home/*/public_html/. o httpd_execmem ??? o httpd_ssi_exec Off by default, this Boolean makes sure that httpd can only execute shell scripts that have the shell_exec_t type assigned to them. Enabling this Boolean will allow httpd to execute any script. o httpd_tty_comm This Boolean defines whether or not httpd is allowed access to the controlling terminal. Usually this access is not required; however in cases such as configuring an SSL certificate file, terminal access is required to display and process a password prompt. o httpd_unified This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with http file context. Leaving it off ensures that one httpd service can not interfere with another, limiting the opportunity for privilege escalation vulnerability. o httpd_use_cifs Turn this Boolean on to allow httpd access to files on CIFS file systems that are labeled with the cifs_t type, such as file systems mounted via Samba. o httpd_use_nfs Turn this Boolean on to allow httpd access to files on NFS file systems that are labeled with the nfs_t type, such as file systems mounted via NFS. All comments are more than welcome! Again, thank you. [1] - https://fedorahosted.org/managing-confined-services/ [2] - http://people.redhat.com/drepper/selinux-mem.html Cheers, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat APAC (Brisbane) http://www.apac.redhat.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: request for review of httpd-related Boolean definitions 2009-03-31 5:16 request for review of httpd-related Boolean definitions Scott Radvan @ 2009-03-31 10:30 ` Dominick Grift 2009-03-31 14:42 ` m 2009-04-06 17:55 ` Daniel J Walsh 0 siblings, 2 replies; 5+ messages in thread From: Dominick Grift @ 2009-03-31 10:30 UTC (permalink / raw) To: Scott Radvan; +Cc: selinux On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote: I am going to use this thread to just share any thoughts i have with regards to this > > o allow_httpd_anon_write > This Boolean is off by default, allowing httpd only read access to > files labeled with the public_content_rw_t type. Enabling this Boolean > will allow httpd to write to files labeled with the public_content_rw_t > type, such as a public directory containing files for a public file > transfer service. > o allow_httpd_mod_auth_ntlm_winbind > This Boolean is off by default. Enabling it will allow access to NTLM > and Winbind authentication mechanisms via the mod_auth_ntlm_winbind > module in httpd. > > o allow_httpd_mod_auth_pam > This Boolean is off by default. Enabling it will allow access to PAM > authentication mechanisms via the mod_auth_pam module in httpd. > > o allow_httpd_sys_script_anon_write > This Boolean is off by default. It defines whether or not HTTP scripts > are allowed write access to files labeled with the public_content_rw_t > type, as used in a public file transfer service. > > o httpd_builtin_scripting > This Boolean is on by default, allowing httpd scripting. Having this > Boolean enabled is often required for PHP content. It allows: 1. httpd_t to manage templated httpd rw content, 2. httpd_t to read templated httpd ra content, 3. httpd_t to read templated httpd content, # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ $1_content_rw_t) manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ $1_content_rw_t) manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ $1_content_rw_t) rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ $1_content_rw_t) allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ $1_content_ra_t) append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ $1_content_ra_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ $1_content_ra_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ') I think this is a bug in policy or atleast that this boolean is too coarse with this boolean set to false: httpd_t cannot read httpd_user_content_t. Basically what it means is that you cannot use httpd userdirs (httpd_enable_userdirs) without scripting enabled. > o httpd_can_network_connect > This Boolean is off by default, preventing HTTP scripts and modules > from initiating a connection to a network or remote port. Turn this > Boolean on to allow this access. > > o httpd_can_network_connect_db > This Boolean is off by default, preventing HTTP scripts and modules > from initiating a connection to database servers. Turn this Boolean on > to allow this access. > > o httpd_can_network_relay > Turn this Boolean on when httpd is being used as a forward or > reverse proxy. > > o httpd_can_sendmail > This Boolean is off by default, preventing HTTP modules from sending > mail. This can prevent spam attacks should a vulnerability be found in > httpd. Turn this Boolean on to allow HTTP modules to send mail. > > o httpd_dbus_avahi > This Boolean is off by default, denying httpd access to the avahi > service via dbus. Turn this Boolean on to allow this access. > > o httpd_enable_cgi > By default, SELinux prevents httpd from executing CGI scripts. Turn > this Boolean on to allow httpd to execute CGI scripts (CGI scripts must > be labeled with the httpd_sys_script_exec_t type). 1. It creates an entrypoint for templated httpd domains and their executable files 2. It allow httpd_t to domain transition to templated httpd domains 3. it allows templated httpd domains basic permissions to run. tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_ $1_script_t) allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_exec_t:file read_file_perms; allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; allow httpd_$1_script_t self:process { setsched signal_perms }; allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; kernel_read_system_state(httpd_$1_script_t) dev_read_urand(httpd_$1_script_t) fs_getattr_xattr_fs(httpd_$1_script_t) files_read_etc_runtime_files(httpd_$1_script_t) files_read_usr_files(httpd_$1_script_t) libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) ') So it is not only for httpd_sys_script_exec_t but for example also httpd_user_script_exec_t or any other httpd domain create with apache_content_template or declared as apache_domain() Also it is specifically responsible for domain transitions. > o httpd_enable_ftp_server > Turning this Boolean on will allow httpd to listen on the FTP port and > act as an FTP server. > > o httpd_enable_homedirs > By default, SELinux prevents httpd from accessing user home > directories. Turn this Boolean on to allow httpd access to user home > directories, for example, /home/*/public_html/. All it does is allow httpd_t to search /home/*/ for httpd content tunable_policy(`httpd_enable_homedirs',` userdom_search_user_home_dirs(httpd_t) userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') This does not actually allow httpd_t to read httpd_user_content_t ( requires the httpd_builtin_scripting boolean to be set ) > o httpd_execmem tunable_policy(`httpd_execmem',` allow httpd_t self:process { execmem execstack }; allow httpd_sys_script_t self:process { execmem execstack }; allow httpd_suexec_t self:process { execmem execstack }; ') Note that is also allows execstack. Note that it allows it also for httpd_sys_script_t Note that it *does not* allow it for httpd_user_script_t ( or any other templated httpd script) > > o httpd_ssi_exec > Off by default, this Boolean makes sure that httpd can only execute > shell scripts that have the shell_exec_t type assigned to them. > Enabling this Boolean will allow httpd to execute any script. > > o httpd_tty_comm > This Boolean defines whether or not httpd is allowed access to the > controlling terminal. Usually this access is not required; however in > cases such as configuring an SSL certificate file, terminal access is > required to display and process a password prompt. > > o httpd_unified > This Boolean is off by default, turning it on will allow all httpd > executables to have full access to all content labeled with http file > context. Leaving it off ensures that one httpd service can not > interfere with another, limiting the opportunity for privilege > escalation vulnerability. I think this boolean needs a good thorough review. I do not think it works properly but i might be wrong > o httpd_use_cifs > Turn this Boolean on to allow httpd access to files on CIFS file > systems that are labeled with the cifs_t type, such as file systems > mounted via Samba. > > o httpd_use_nfs > Turn this Boolean on to allow httpd access to files on NFS file systems > that are labeled with the nfs_t type, such as file systems mounted via > NFS. > > > All comments are more than welcome! Again, thank you. > > > > [1] - https://fedorahosted.org/managing-confined-services/ > [2] - http://people.redhat.com/drepper/selinux-mem.html > > > Cheers, > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: request for review of httpd-related Boolean definitions 2009-03-31 10:30 ` Dominick Grift @ 2009-03-31 14:42 ` m 2009-04-06 17:53 ` Daniel J Walsh 2009-04-06 17:55 ` Daniel J Walsh 1 sibling, 1 reply; 5+ messages in thread From: m @ 2009-03-31 14:42 UTC (permalink / raw) To: selinux Dominick Grift wrote: > On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote: > > I am going to use this thread to just share any thoughts i have with regards to this >> o allow_httpd_anon_write >> This Boolean is off by default, allowing httpd only read access to >> files labeled with the public_content_rw_t type. Enabling this Boolean >> will allow httpd to write to files labeled with the public_content_rw_t >> type, such as a public directory containing files for a public file >> transfer service. > > >> o allow_httpd_mod_auth_ntlm_winbind >> This Boolean is off by default. Enabling it will allow access to NTLM >> and Winbind authentication mechanisms via the mod_auth_ntlm_winbind >> module in httpd. >> >> o allow_httpd_mod_auth_pam >> This Boolean is off by default. Enabling it will allow access to PAM >> authentication mechanisms via the mod_auth_pam module in httpd. >> >> o allow_httpd_sys_script_anon_write >> This Boolean is off by default. It defines whether or not HTTP scripts >> are allowed write access to files labeled with the public_content_rw_t >> type, as used in a public file transfer service. >> >> o httpd_builtin_scripting >> This Boolean is on by default, allowing httpd scripting. Having this >> Boolean enabled is often required for PHP content. > > It allows: > > 1. httpd_t to manage templated httpd rw content, > 2. httpd_t to read templated httpd ra content, > 3. httpd_t to read templated httpd content, > > # Allow the web server to run scripts and serve pages > tunable_policy(`httpd_builtin_scripting',` > manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > > allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms > add_entry_dir_perms }; > read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > > allow httpd_t httpd_$1_content_t:dir list_dir_perms; > read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > > allow httpd_t httpd_$1_content_t:dir list_dir_perms; > read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > ') > > I think this is a bug in policy or atleast that this boolean is too > coarse > > with this boolean set to false: httpd_t cannot read > httpd_user_content_t. Basically what it means is that you cannot use > httpd userdirs (httpd_enable_userdirs) without scripting enabled. > >> o httpd_can_network_connect >> This Boolean is off by default, preventing HTTP scripts and modules >> from initiating a connection to a network or remote port. Turn this >> Boolean on to allow this access. >> >> o httpd_can_network_connect_db >> This Boolean is off by default, preventing HTTP scripts and modules >> from initiating a connection to database servers. Turn this Boolean on >> to allow this access. >> >> o httpd_can_network_relay >> Turn this Boolean on when httpd is being used as a forward or >> reverse proxy. >> >> o httpd_can_sendmail >> This Boolean is off by default, preventing HTTP modules from sending >> mail. This can prevent spam attacks should a vulnerability be found in >> httpd. Turn this Boolean on to allow HTTP modules to send mail. >> >> o httpd_dbus_avahi >> This Boolean is off by default, denying httpd access to the avahi >> service via dbus. Turn this Boolean on to allow this access. >> >> o httpd_enable_cgi >> By default, SELinux prevents httpd from executing CGI scripts. Turn >> this Boolean on to allow httpd to execute CGI scripts (CGI scripts must >> be labeled with the httpd_sys_script_exec_t type). > > 1. It creates an entrypoint for templated httpd domains and their > executable files > > 2. It allow httpd_t to domain transition to templated httpd domains > > 3. it allows templated httpd domains basic permissions to run. > > tunable_policy(`httpd_enable_cgi',` > allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; > > # privileged users run the script: > domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_ > $1_script_t) > > allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; > > # apache runs the script: > domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) > > allow httpd_t httpd_$1_script_exec_t:file read_file_perms; > > allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; > allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; > > allow httpd_$1_script_t self:process { setsched signal_perms }; > allow httpd_$1_script_t self:unix_stream_socket > create_stream_socket_perms; > > allow httpd_$1_script_t httpd_t:fd use; > allow httpd_$1_script_t httpd_t:process sigchld; > > kernel_read_system_state(httpd_$1_script_t) > > dev_read_urand(httpd_$1_script_t) > > fs_getattr_xattr_fs(httpd_$1_script_t) > > files_read_etc_runtime_files(httpd_$1_script_t) > files_read_usr_files(httpd_$1_script_t) > > libs_read_lib_files(httpd_$1_script_t) > > miscfiles_read_localization(httpd_$1_script_t) > ') > > So it is not only for httpd_sys_script_exec_t but for example also > httpd_user_script_exec_t or any other httpd domain create with > apache_content_template or declared as apache_domain() > > Also it is specifically responsible for domain transitions. > > >> o httpd_enable_ftp_server >> Turning this Boolean on will allow httpd to listen on the FTP port and >> act as an FTP server. >> >> o httpd_enable_homedirs >> By default, SELinux prevents httpd from accessing user home >> directories. Turn this Boolean on to allow httpd access to user home >> directories, for example, /home/*/public_html/. > > All it does is allow httpd_t to search /home/*/ for httpd content > > tunable_policy(`httpd_enable_homedirs',` > userdom_search_user_home_dirs(httpd_t) > userdom_search_user_home_dirs(httpd_suexec_t) > userdom_search_user_home_dirs(httpd_user_script_t) > ') > > This does not actually allow httpd_t to read httpd_user_content_t > ( requires the httpd_builtin_scripting boolean to be set ) > >> o httpd_execmem > > tunable_policy(`httpd_execmem',` > allow httpd_t self:process { execmem execstack }; > allow httpd_sys_script_t self:process { execmem execstack }; > allow httpd_suexec_t self:process { execmem execstack }; > ') > > Note that is also allows execstack. > Note that it allows it also for httpd_sys_script_t > Note that it *does not* allow it for httpd_user_script_t ( or any other > templated httpd script) I think here he is looking to understand what exactly execmem allows. My understanding is that it allows memory to be both writeable and executable which is a no no but often required because of some questionable programming practices. Please correct me if I am wrong but if the above is correct then this allows the webserver to make memory both writeable and executable, something that should be avoided. >> o httpd_ssi_exec >> Off by default, this Boolean makes sure that httpd can only execute >> shell scripts that have the shell_exec_t type assigned to them. >> Enabling this Boolean will allow httpd to execute any script. >> >> o httpd_tty_comm >> This Boolean defines whether or not httpd is allowed access to the >> controlling terminal. Usually this access is not required; however in >> cases such as configuring an SSL certificate file, terminal access is >> required to display and process a password prompt. >> >> o httpd_unified >> This Boolean is off by default, turning it on will allow all httpd >> executables to have full access to all content labeled with http file >> context. Leaving it off ensures that one httpd service can not >> interfere with another, limiting the opportunity for privilege >> escalation vulnerability. > > I think this boolean needs a good thorough review. > I do not think it works properly but i might be wrong > >> o httpd_use_cifs >> Turn this Boolean on to allow httpd access to files on CIFS file >> systems that are labeled with the cifs_t type, such as file systems >> mounted via Samba. >> >> o httpd_use_nfs >> Turn this Boolean on to allow httpd access to files on NFS file systems >> that are labeled with the nfs_t type, such as file systems mounted via >> NFS. >> >> >> All comments are more than welcome! Again, thank you. >> >> >> >> [1] - https://fedorahosted.org/managing-confined-services/ >> [2] - http://people.redhat.com/drepper/selinux-mem.html >> >> >> Cheers, >> >> > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- "Any fool can know. The point is to understand" --Albert Einstein Bored?? http://fiction.wikia.com/wiki/Fuqwit1.0 http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: request for review of httpd-related Boolean definitions 2009-03-31 14:42 ` m @ 2009-04-06 17:53 ` Daniel J Walsh 0 siblings, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2009-04-06 17:53 UTC (permalink / raw) To: m; +Cc: selinux <snip> >>> o httpd_execmem >> >> tunable_policy(`httpd_execmem',` >> allow httpd_t self:process { execmem execstack }; >> allow httpd_sys_script_t self:process { execmem execstack }; >> allow httpd_suexec_t self:process { execmem execstack }; >> ') >> Note that is also allows execstack. >> Note that it allows it also for httpd_sys_script_t >> Note that it *does not* allow it for httpd_user_script_t ( or any other >> templated httpd script) > > I think here he is looking to understand what exactly execmem allows. My > understanding is that it allows memory to be both writeable and > executable which is a no no but often required because of some > questionable programming practices. Please correct me if I am wrong but > if the above is correct then this allows the webserver to make memory > both writeable and executable, something that should be avoided. > Yes correct. Turning on this boolean will allow apache to execute programs that require writable/executable memory. Java/Mono type apps could require this, but it should seldom be set. Turning this on eliminates some level of buffer overflow protection. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: request for review of httpd-related Boolean definitions 2009-03-31 10:30 ` Dominick Grift 2009-03-31 14:42 ` m @ 2009-04-06 17:55 ` Daniel J Walsh 1 sibling, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2009-04-06 17:55 UTC (permalink / raw) To: Dominick Grift; +Cc: Scott Radvan, selinux On 03/31/2009 06:30 AM, Dominick Grift wrote: > On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote: > > I am going to use this thread to just share any thoughts i have with regards to this >> o allow_httpd_anon_write >> This Boolean is off by default, allowing httpd only read access to >> files labeled with the public_content_rw_t type. Enabling this Boolean >> will allow httpd to write to files labeled with the public_content_rw_t >> type, such as a public directory containing files for a public file >> transfer service. > > >> o allow_httpd_mod_auth_ntlm_winbind >> This Boolean is off by default. Enabling it will allow access to NTLM >> and Winbind authentication mechanisms via the mod_auth_ntlm_winbind >> module in httpd. >> >> o allow_httpd_mod_auth_pam >> This Boolean is off by default. Enabling it will allow access to PAM >> authentication mechanisms via the mod_auth_pam module in httpd. >> >> o allow_httpd_sys_script_anon_write >> This Boolean is off by default. It defines whether or not HTTP scripts >> are allowed write access to files labeled with the public_content_rw_t >> type, as used in a public file transfer service. >> >> o httpd_builtin_scripting >> This Boolean is on by default, allowing httpd scripting. Having this >> Boolean enabled is often required for PHP content. > > It allows: > > 1. httpd_t to manage templated httpd rw content, > 2. httpd_t to read templated httpd ra content, > 3. httpd_t to read templated httpd content, > > # Allow the web server to run scripts and serve pages > tunable_policy(`httpd_builtin_scripting',` > manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_ > $1_content_rw_t) > > allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms > add_entry_dir_perms }; > read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_ > $1_content_ra_t) > > allow httpd_t httpd_$1_content_t:dir list_dir_perms; > read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > > allow httpd_t httpd_$1_content_t:dir list_dir_perms; > read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) > ') > > I think this is a bug in policy or atleast that this boolean is too > coarse > > with this boolean set to false: httpd_t cannot read > httpd_user_content_t. Basically what it means is that you cannot use > httpd userdirs (httpd_enable_userdirs) without scripting enabled. > In Fedora policy I have removed the booleans from the templated interfaces, So these booleans only effect httpd_sys_*. If you use the templates you need to either allow the access or add your own booleans. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-04-06 17:55 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-03-31 5:16 request for review of httpd-related Boolean definitions Scott Radvan 2009-03-31 10:30 ` Dominick Grift 2009-03-31 14:42 ` m 2009-04-06 17:53 ` Daniel J Walsh 2009-04-06 17:55 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.