On Sat, 2009-03-21 at 02:26 +0000, Aaron Gray wrote:
On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing.
I had to use 'setenforce 0', remove the grep, and then whittle down the code a bit.
mkdir gitweb-policy; cd gitweb-policy; echo "policy_module(gitweb, 0.0.1)" > gitweb.te echo "apache_content_template(gitweb)" >> gitweb.te echo "/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile semodule -i gitweb.pp restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :- gitweb.te policy_module(gitweb, 0.0.1) apache_content_template(gitweb)
require { type httpd_sys_script_t; }
#============= httpd_sys_script_t ============== files_list_default(httpd_sys_script_t) files_read_default_files(httpd_sys_script_t)
Looks like something went wrong here. for starters something is running in the httpd_sys_script_t domain and not httpd_gitweb_script_t.
Second youre giving httpd_sys_script_t access to read files with type default_t (not recommended)
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
Heres my git policy: policy_module(git_daemon, 0.0.1)
######################################## # # Git daemon declarations #
attribute git_daemon_user_content_type; attribute git_daemon_system_content_type;
type git_daemon_t; type git_daemon_exec_t; inetd_service_domain(git_daemon_t, git_daemon_exec_t) role system_r types git_daemon_t;
application_executable_file(git_daemon_exec_t)
type git_daemon_system_content_t, git_daemon_system_content_type; typeattribute git_daemon_system_content_t git_daemon_system_content_type; files_type(git_daemon_system_content_t)
## <desc> ## <p> ## Allow Git daemon to read home directories. ## </p> ## </desc> gen_tunable(git_daemon_enable_homedirs, false)
## <desc> ## <p> ## Allow Git daemon to access nfs file systems. ## </p> ## </desc> gen_tunable(git_daemon_use_nfs, false)
## <desc> ## <p> ## Allow Git daemon to access cifs file systems. ## </p> ## </desc> gen_tunable(git_daemon_use_cifs, false)
######################################## # # Git daemon policy #
allow git_daemon_t self:fifo_file rw_fifo_file_perms; allow git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow git_daemon_t self:udp_socket { write read create connect getattr }; allow git_daemon_t self:unix_dgram_socket { write create connect };
list_dirs_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type)
corecmd_exec_bin(git_daemon_t)
corenet_all_recvfrom_unlabeled(git_daemon_t) corenet_all_recvfrom_netlabel(git_daemon_t)
files_read_etc_files(git_daemon_t) files_search_usr(git_daemon_t)
fs_search_auto_mountpoints(git_daemon_t)
kernel_read_system_state(git_daemon_t)
libs_use_ld_so(git_daemon_t) libs_use_shared_libs(git_daemon_t)
logging_send_syslog_msg(git_daemon_t)
miscfiles_read_localization(git_daemon_t)
miscfiles_read_public_files(git_daemon_t)
sysnet_read_config(git_daemon_t)
optional_policy(` apache_content_template(gitweb) apache_search_sys_content(httpd_gitweb_script_t) files_getattr_tmp_dirs(httpd_gitweb_script_t) git_daemon_read_system_content(httpd_gitweb_script_t) ')
optional_policy(` nscd_read_pid(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ')
tunable_policy(`git_daemon_use_nfs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ')
tunable_policy(`git_daemon_use_cifs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ')
tunable_policy(`git_daemon_enable_homedirs', ` list_dirs_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) read_files_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_all_users_home_dirs(git_daemon_t) ')
#EOF
## <summary>SELinux policy for Git daemon.</summary> ## <desc> ## <p> ## Git daemon is a really simple server for Git ## repositories. ## </p> ## </desc>
####################################### ## <summary> ## The per role template for the Git daemon module. ## </summary> ## <desc> ## <p> ## This template creates derived domains which are used ## for Git daemon. ## </p> ## <p> ## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ## </p> ## </desc> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="user_domain"> ## <summary> ## The type of the user domain. ## </summary> ## </param> ## <param name="user_role"> ## <summary> ## The role associated with the user domain. ## </summary> ## </param> # template(`git_daemon_per_role_template', ` gen_require(` type git_daemon_exec_t; attribute git_daemon_user_content_type; ')
######################################## # # Git daemon public declarations. #
type $1_git_daemon_t; application_domain($1_git_daemon_t, git_daemon_exec_t) role $3 types $1_git_daemon_t;
type $1_git_daemon_home_t, git_daemon_user_content_type; userdom_user_home_content($1, $1_git_daemon_home_t)
typeattribute $1_git_daemon_home_t git_daemon_user_content_type;
######################################## # # Git daemon public policy. #
allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms; allow $1_git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow $1_git_daemon_t self:tcp_socket { bind read write accept create setopt listen }; allow $1_git_daemon_t self:udp_socket { create connect write read getattr };
allow $1_git_daemon_t $2:process sigchld;
allow $2 $1_git_daemon_t:process { ptrace signal_perms };
git_daemon_read_user_content($1, $1_git_daemon_t)
manage_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) manage_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) exec_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_user_home_dirs($1, $1_git_daemon_t) userdom_user_home_dir_filetrans($1, $1_git_daemon_t, $1_git_daemon_home_t, { dir file })
relabel_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) relabel_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type)
domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t)
ps_process_pattern($2, $1_git_daemon_t)
corecmd_exec_bin($1_git_daemon_t)
corenet_all_recvfrom_unlabeled($1_git_daemon_t) corenet_all_recvfrom_netlabel($1_git_daemon_t)
corenet_tcp_sendrecv_all_if($1_git_daemon_t) corenet_tcp_sendrecv_all_nodes($1_git_daemon_t)
corenet_tcp_bind_all_nodes($1_git_daemon_t)
corenet_tcp_bind_git_daemon_port($1_git_daemon_t)
files_read_etc_files($1_git_daemon_t)
files_search_home($1_git_daemon_t) files_search_usr($1_git_daemon_t)
fs_search_auto_mountpoints($1_git_daemon_t)
kernel_read_system_state($1_git_daemon_t)
libs_use_ld_so($1_git_daemon_t) libs_use_shared_libs($1_git_daemon_t)
logging_send_syslog_msg($1_git_daemon_t)
miscfiles_read_localization($1_git_daemon_t)
sysnet_read_config($1_git_daemon_t)
userdom_use_user_terminals($1, $1_git_daemon_t)
tunable_policy(`use_nfs_home_dirs', ` fs_list_nfs($1_git_daemon_t) fs_read_nfs_files($1_git_daemon_t) ')
tunable_policy(`use_samba_home_dirs', ` fs_list_cifs($1_git_daemon_t) fs_read_cifs_files($1_git_daemon_t) ')
optional_policy(` nscd_read_pid($1_git_daemon_t) ')
optional_policy(` nis_use_ypbind($1_git_daemon_t) ') ')
######################################## ## <summary> ## Allow the specified domain to read ## Git daemon system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_read_system_content', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to manage ## Git daemon system content. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_manage_system_content', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) manage_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) manage_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to execute ## Git daemon system content files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_execute_system_content_files', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) exec_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to read ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_read_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir list_dir_perms; allow $2 git_daemon_user_content_type:file read_file_perms; userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to manage ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_manage_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir manage_dir_perms; allow $2 git_daemon_user_content_type:file manage_file_perms; userdom_user_home_dir_filetrans($1, $2, git_daemon_user_content_type, { dir file }) userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to relabel ## Git daemon personal repositories. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`git_daemon_relabel_user_content', ` gen_require(` attribute git_daemon_user_content_type; ')
allow $2 git_daemon_user_content_type:dir relabel_dir_perms; allow $2 git_daemon_user_content_type:file relabel_file_perms; userdom_search_user_home_dirs($1, $2) ')
######################################## ## <summary> ## Allow the specified domain to manage ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_manage_all_content', ` git_daemon_manage_user_content($1, $2) git_daemon_manage_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to read ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_read_all_content', ` git_daemon_read_user_content($1, $2) git_daemon_read_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to relabel ## all Git daemon content. ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_relabel_all_content', ` git_daemon_relabel_user_content($1, $2) git_daemon_relabel_system_content($2) ')
######################################## ## <summary> ## Allow the specified domain to list ## Git daemon system content directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_list_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
######################################## ## <summary> ## Allow the specified domain to search ## Git daemon system content directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_search_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ')
files_search_var($1) search_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ')
####################################### ## <summary> ## The template for creating a Git user domain. ## </summary> ## <desc> ## <p> ## This template creates a user domain, types, and ## rules for the user's pty. ## </p> ## </desc> ## <param name="userdomain_prefix"> ## <summary> ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## </summary> ## </param> # template(`git_daemon_git_user_template',` gen_require(` attribute unpriv_userdomain, userdomain; class context contains; ')
############################## # # Git user public declarations. #
attribute $1_file_type; attribute $1_usertype;
type $1_t, userdomain, $1_usertype; domain_type($1_t)
corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t)
role $1_r types $1_t; allow system_r $1_r;
typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t)
############################## # # Git user public policy. #
allow $1_usertype self:context contains;
allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1_usertype)
kernel_read_system_state($1_usertype)
files_read_etc_files($1_usertype)
files_search_home($1_usertype)
git_daemon_manage_system_content($1_usertype) git_daemon_execute_system_content_files($1_usertype)
libs_use_ld_so($1_usertype) libs_use_shared_libs($1_usertype)
miscfiles_read_localization($1_usertype)
ssh_rw_stream_sockets($1_usertype)
optional_policy(` nscd_read_pid($1_usertype) ') ')
######################################## ## <summary> ## All of the rules required to administrate an ## Git daemon environment ## </summary> ## <param name="userdomain_prefix"> ## <summary> ## Prefix of the domain. Example, user would be ## the prefix for the user_t domain. ## </summary> ## </param> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed to manage the Git daemon domain. ## </summary> ## </param> ## <rolecap/> # interface(`git_daemon_admin', `
gen_require(` type git_daemon_t, git_daemon_exec_t, httpd_gitweb_script_exec_t; ')
allow $1 git_daemon_t:process { getattr ptrace signal_perms };
git_daemon_manage_all_content($1, $2) git_daemon_relabel_all_content($1, $2)
miscfiles_manage_public_files($1)
kernel_search_proc($1) allow $1 git_daemon_t:dir list_dir_perms; read_files_pattern($1, git_daemon_t, git_daemon_t) read_lnk_files_pattern($1, git_daemon_t, git_daemon_t)
manage_files_pattern($1, httpd_gitweb_script_exec_t, httpd_gitweb_script_exec_t) manage_files_pattern($1, git_daemon_exec_t, git_daemon_exec_t)
seutil_domtrans_setfiles($1) ')
#EOF
######################################## # # Git daemon contexts #
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
HOME_DIR/.gitconfig -- gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0)
/srv/git(/.*)? gen_context(system_u:object_r:git_daemon_system_content_t, s0)
/usr/bin/git-daemon -- gen_context(system_u:object_r:git_daemon_exec_t, s0)
/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
#EOF
But it wont work unless its modified or integrated properly. Also it might need some polishing.
gitweb.fc /var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)