[ale] CEntOS 5.6 + PHP53 + Drupal6 + Selinux

Jim Kinney jim.kinney at gmail.com
Wed Jul 27 21:58:56 EDT 2011 

= a long arduous pile of pain setting up a gazillion selinux allowances.

dump audit log, restart httpd, test, get failure and generate possible
solution with audit2allow -R
edit local-drupal_sux_selinux_hard.te and merge in new policy changes, make,
make load
repeat while noting with terror of all the things this environment is
touching.

current te file (yes, it's only 14 iterations so far, I'm whining):

policy_module(local-fastcgi, 1.0.14)

require {
    type httpd_t;
    type httpd_sys_content_t;
    type httpd_suexec_t;
    type httpd_sys_script_exec_t;
    type home_root_t;
    type security_t;
    type semanage_t;
    type load_policy_t;
    type setfiles_t;
    class unix_stream_socket { read write shutdown };
    class unix_stream_socket accept;
    class unix_stream_socket { ioctl getattr };
    class file { read getattr ioctl };
    class file { write setattr };
    class file read;
    class file execute;
    class file execute_no_trans;
    class file ioctl;
    class dir { write create add_name };
    class dir { write add_name };
    class dir read;
    class dir write;
    class dir create;
    class dir setattr;
    class process { siginh noatsecure rlimitinh };
    class security check_context;
    class process setfscreate;


}

#============= httpd_suexec_t ==============
allow httpd_suexec_t home_root_t:file getattr;
allow httpd_suexec_t home_root_t:file execute;
allow httpd_suexec_t home_root_t:file read;
allow httpd_suexec_t home_root_t:file execute_no_trans;
allow httpd_suexec_t home_root_t:file ioctl;
allow httpd_suexec_t httpd_sys_content_t:file { write setattr };
allow httpd_suexec_t httpd_sys_content_t:file ioctl;
allow httpd_suexec_t httpd_sys_content_t:dir write;
allow httpd_suexec_t httpd_sys_content_t:dir { write add_name };
allow httpd_suexec_t httpd_sys_content_t:dir create;
allow httpd_suexec_t httpd_sys_content_t:dir setattr;
allow httpd_suexec_t httpd_t:unix_stream_socket { read write shutdown };
allow httpd_suexec_t httpd_t:unix_stream_socket { ioctl getattr };
allow httpd_suexec_t httpd_t:unix_stream_socket accept;
allow httpd_suexec_t httpd_sys_script_exec_t:dir read;
allow httpd_suexec_t self:process setfscreate;
allow httpd_suexec_t security_t:file read;
allow httpd_suexec_t security_t:security check_context;
kernel_read_system_state(httpd_suexec_t)
selinux_search_fs(httpd_suexec_t)
selinux_load_policy(httpd_suexec_t)
snmp_read_snmp_var_lib_files(httpd_suexec_t)
seutil_search_default_contexts(httpd_suexec_t)
seutil_read_config(httpd_suexec_t)
seutil_read_file_contexts(httpd_suexec_t)
corenet_tcp_connect_http_port(httpd_suexec_t)
apache_read_sys_content(httpd_suexec_t)

#============= httpd_t ==============
allow httpd_t home_root_t:file { read getattr };
allow httpd_t httpd_suexec_t:process { siginh signal rlimitinh sigkill
noatsecure };
allow httpd_t self:process setfscreate;
allow httpd_t security_t:security check_context;
selinux_search_fs(httpd_t)
seutil_search_default_contexts(httpd_t)
selinux_load_policy(httpd_t)
snmp_read_snmp_var_lib_files(httpd_t)

#============= semanage_t ==============
allow semanage_t load_policy_t:process { siginh rlimitinh noatsecure };
allow semanage_t setfiles_t:process { siginh rlimitinh noatsecure };

The really sour grapes part is I know the following part is just _wrong_
#============= httpd_suexec_t ==============
allow httpd_suexec_t home_root_t:file getattr;
allow httpd_suexec_t home_root_t:file execute;
allow httpd_suexec_t home_root_t:file read;
allow httpd_suexec_t home_root_t:file execute_no_trans;
allow httpd_suexec_t home_root_t:file ioctl;

The file it's hitting (fcgi-bin/php5.fcgi) should NOT be set to home_root_t
but should be set to httpd_sys_script_exec_t but for unknown reasons, chcon
is blocked for changing the file context on that FCGIWrapper  in the virtual
hosts fcgi-bin dir. Even facls is correct. mod_fcgid sets a binary elsewhere
but the simple fcgi file is copied from ??? or generated by virtualmin
(ARGH!) It works fine but the busted context and blocked change has me
stumped.

So the other alternative is to use the drupal rpm from EPEL with the hope
they have the selinux contexts included, scavenge those from the
post-install script section and also hope it works happy with virtualmin as
that is a huge pile of perl I really don't want to start poking around in.

it's time for a beer (or three).

-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110727/5af4f8cd/attachment.html

More information about the Ale mailing list