Ok here is how I have simulated what you are trying to do.
cp /bin/sh /var/www/httpdsh chcon -t httpd_exec_t /var/www/httpdsh
Add the following lines to /etc/selinux/targeted/src/policy/domains/misc/local.te
domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) allow httpd_t devpts_t:chr_file rw_file_perms;
cd /etc/selinux/targeted/src/policy/ make load setsebool httpd_tty_comm=1
Then run /var/www/httpdsh as root.
/var/www/httpdsh httpdsh: /root/.bashrc: Permission denied # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:httpd_t:s0-s0:c0.c127 # cat /etc/shadow cat: /etc/shadow: Permission denied # cat /var/log/messages cat: /var/log/messages: Permission denied
Ok, thx for the lines. It works fine when im in Xmode (xterm), but when i change to console mode (tty1) if i execute /var/www/httpdsh it doesnot work. Its like if i dont execute the program. I dont get to the httpd bash. I dont receive any message in the console. I dont receive any message in /var/log/message. I dont receive any message in /var/log/audit/audit.log. Its like if it had not done anything
What happen?
pedro esteban wrote:
Ok here is how I have simulated what you are trying to do.
cp /bin/sh /var/www/httpdsh chcon -t httpd_exec_t /var/www/httpdsh
Add the following lines to /etc/selinux/targeted/src/policy/domains/misc/local.te
domain_auto_trans(unconfined_t,httpd_exec_t, httpd_t) allow httpd_t devpts_t:chr_file rw_file_perms;
cd /etc/selinux/targeted/src/policy/ make load setsebool httpd_tty_comm=1
Then run /var/www/httpdsh as root.
/var/www/httpdsh httpdsh: /root/.bashrc: Permission denied # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:httpd_t:s0-s0:c0.c127 # cat /etc/shadow cat: /etc/shadow: Permission denied # cat /var/log/messages cat: /var/log/messages: Permission denied
Ok, thx for the lines. It works fine when im in Xmode (xterm), but when i change to console mode (tty1) if i execute /var/www/httpdsh it doesnot work. Its like if i dont execute the program. I dont get to the httpd bash. I dont receive any message in the console. I dont receive any message in /var/log/message. I dont receive any message in /var/log/audit/audit.log. Its like if it had not done anything
What happen?
You need to add getattr and ioctl to your tty. I am adding it to Policy.
You could add
allow httpd_t tty_device_t:chr_file { getattr ioctl };
to local.te
On Wed, 28 Sep 2005 11:18:33 EDT, Daniel J Walsh said:
You need to add getattr and ioctl to your tty. I am adding it to Policy.
You could add
allow httpd_t tty_device_t:chr_file { getattr ioctl };
to local.te
Umm... you're not adding it to the shipping policy, are you? Is there any *real* usage (as opposed to simulating a hack-in) that httpd_t needs those two added?
Valdis.Kletnieks@vt.edu wrote:
On Wed, 28 Sep 2005 11:18:33 EDT, Daniel J Walsh said:
You need to add getattr and ioctl to your tty. I am adding it to Policy.
You could add
allow httpd_t tty_device_t:chr_file { getattr ioctl };
to local.te
Umm... you're not adding it to the shipping policy, are you? Is there any *real* usage (as opposed to simulating a hack-in) that httpd_t needs those two added?
These are only used when httpd_tty_comm is set, It is off by default. httpd_tty_comm is only required if you are using public keys that require a password to unlock. So when apache starts it prompts the admin for a password to unlock its certificates.
On Thu, 29 Sep 2005 08:44:35 EDT, Daniel J Walsh said:
These are only used when httpd_tty_comm is set, It is off by default. httpd_tty_comm is only required if you are using public keys that require a password to unlock. So when apache starts it prompts the admin for a password to unlock its certificates.
Oh, OK.. that's a good reason to add it. :) I got the impression it got added to get Pedro's stuff working, and my first thought was "This was what SELinux was designed to *stop*" :)
(Actually, the amount of difficulty that Pedro is having is a very good sign - it means that we did things right. :)
selinux@lists.fedoraproject.org