Web Application access to files in /mnt/

Web Application access to files in /mnt/

[Ken Smith]

Hi All, I could do with some simple guidance. I have a web application, 
written in Perl, that is part of MythTV. It can stream video from files 
mounted in /mnt.

The report from SElinux is

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                /mnt/store0 [ dir ]
Source                        mythweb.pl

What would be the best approach. Should I relabel the files in /mnt or 
create a module like this

# grep mythweb.pl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Thanks in advance

Ken



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Web Application access to files in /mnt/

[Dominick Grift]

On Fri, 2014-01-10 at 21:08 +0000, Ken Smith wrote:
> Hi All, I could do with some simple guidance. I have a web application, 
> written in Perl, that is part of MythTV. It can stream video from files 
> mounted in /mnt.
> 

In this case the issue might not be so simple. You have mounted a
partition under /mnt/ or /mnt/store0 that currently has no SELinux
metadata stored with its objects.

So either you just formatted that partition, or it comes from a system
that does not support SELinux.

The question is which assumptions to make. Will this just need to work
in this specific scenario or in any scenario?

I will give you a simple solution that might make it work for partitions
mounted under /mnt that have object that have no SELinux metadata stored
with it.

mkdir ~/test; cd ~/test
cat > test.te <<EOF
policy_module(test, 1.0.0)
gen_require(\` type file_t; ')
apache_content_template(test)
list_dirs_pattern(httpd_test_script_t, file_t, file_t)
read_files_pattern(httpd_test_script_t, file_t, file_t)
EOF
make -f /usr/share/selinux/devel/Makefile test.pp
sudo semodule -i test.pp

Then use the following command to label the perl script appropriately
(replace the path in this example with the actual path to the script):

sudo semanage fcontext -a -t httpd_test_script_exec_t -f --
"/var/www/cgi-bin/mythweb\.pl"
sudo restorecon -v /var/www/cgi-bin/mythweb.pl

Then see if it works (it will probably not work yet)

if it still does not work then you might want to quickly test it in
permissive mode by running:

setenforce 0
<<reproduce/retest the webapp>>
setenforce 1

then use: sudo ausearch -m avc,user_avc,selinux_err -ts recent |
audit2allow -M test_addon; semodule -i test_addon.pp

Hopefully that will put all the additional rules into the test_addon.pp
module and install that along side the test.pp module

That might make it work.

This is a quick hack though the issue is not as simple as it seems but
you havent given me enough information for me to give a better solution

What we did above was we created a new "selinux sandbox" called
httpd_test_script_t and associated that with
the /var/www/cgi-bin/mythweb.pl script. Then we expanded that selinux
sandbox a bit so that it can read directory and file object that have no
selinux security metadata associated with it.

The goal of this was to not break the existing httpd_sys_script_t
selinux sandbox in which the webapp was running previously. This because
that selinux sandbox is used by other generic web apps as well and we
dont want to give them these permissions, only mythweb.pl

> The report from SElinux is
> 
> Source Context                system_u:system_r:httpd_sys_script_t:s0
> Target Context                system_u:object_r:file_t:s0
> Target Objects                /mnt/store0 [ dir ]
> Source                        mythweb.pl
> 
> What would be the best approach. Should I relabel the files in /mnt or 
> create a module like this
> 
> # grep mythweb.pl /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Thanks in advance
> 
> Ken
> 
> 
> 

Re: Web Application access to files in /mnt/

[luis]

[-- Attachment #1: Type: text/plain, Size: 554 bytes --]

Additionally, I'd mount /mnt/store0 with the mount option
context=system_u:object_r:my_app_content_t and only grant your
application access on that, instead of file_t.

If you don't need the separation proposed by Dominick Grift (e.g.
because the video files are public anyway), you could even just do a
"mount -o context=system_u:object_r:httpd_sys_content_t ?? /mnt/store0"
without having to create a custom policy.


Regards,
Luis Ressel


-- 
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 966 bytes --]

Re: Web Application access to files in /mnt/

[Luis Ressel]

[-- Attachment #1: Type: text/plain, Size: 554 bytes --]

Additionally, I'd mount /mnt/store0 with the mount option
context=system_u:object_r:my_app_content_t and only grant your
application access on that, instead of file_t.

If you don't need the separation proposed by Dominick Grift (e.g.
because the video files are public anyway), you could even just do a
"mount -o context=system_u:object_r:httpd_sys_content_t ?? /mnt/store0"
without having to create a custom policy.


Regards,
Luis Ressel


-- 
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC  E53D 08F5 7F90 3029 B5BD

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 966 bytes --]

Re: Web Application access to files in /mnt/

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2014 12:05 PM, Luis Ressel wrote:

The label should probably be

system_u:object_r:httpd_sys_content_t:s0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLUAm8ACgkQrlYvE4MpobPuSQCg4M2Hw8L5Bzvp8cPeZXYHvAz/
YPgAnjJcO64o2hozRWonY7LH8Wh5AvGj
=OOh1
-----END PGP SIGNATURE-----