subject:"\[CentOS\] SELinux policy vs. static web content"

Re: [CentOS] SELinux policy vs. static web content

2019-01-30 Thread Gordon Messmer


On 1/30/19 7:57 AM, Nicolas Kovacs wrote:

The tl;dr version of my last post is : Apache is not supposed to show
static web pages with a user_tmp_t SELinux context. So why does it show
them anyway ?



Policy allows that, currently:

# sesearch -A -s httpd_t -t user_tmp_t
Found 15 semantic av rules:
   allow daemon user_tmp_t : file { getattr append } ;
   allow httpd_t user_tmp_t : file { ioctl read write getattr lock 
append map } ;

   allow domain tmpfile : file { ioctl read getattr lock append open } ;
   allow httpd_t file_type : dir { getattr search open } ;
   allow httpd_t user_tmp_t : dir { ioctl read write getattr lock 
add_name remove_name search open } ;

   allow httpd_t file_type : filesystem getattr ;
   allow httpd_t user_home_type : file { ioctl read getattr lock open } ;
   allow httpd_t user_home_type : dir { getattr search open } ;
   allow httpd_t user_home_type : dir { ioctl read getattr lock search 
open } ;

   allow httpd_t user_home_type : dir { getattr search open } ;
   allow httpd_t user_home_type : dir { getattr search open } ;
   allow domain file_type : file map ;
   allow domain file_type : chr_file map ;
   allow domain file_type : blk_file map ;
   allow httpd_t user_home_type : lnk_file { read getattr } ;

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux policy vs. static web content

2019-01-30 Thread Nicolas Kovacs

Le 30/01/2019 à 16:22, Nicolas Kovacs a écrit :
> Some time ago I wrote an introductory article about SELinux on my blog.
> I'm currently updating it for my new blog, and I found a curious change
> in SELinux policy. Here goes.
> 
> For demonstration purposes, I'm using some static webpages, more exactly
> the default pages found in /usr/share/httpd/noindex, which I simply
> copied over to /var/www/html.
> 
> As a first practical example, I'm copying this stuff over to /tmp/backup
> and then move it back again. A vaguely similar example has been given by
> Thomas Cameron in his presentation "SELinux for mere mortals", and I'm
> reproducing it here with some minor modifications.
> 
>   $ cd /var/www/html/
>   $ mkdir /tmp/backup
>   $ cp -R * /tmp/backup/
>   $ rm -rf *
>   $ mv /tmp/backup/* .
>   $ find . -type d -exec chmod 0755 {} \;
>   $ find . -type f -exec chmod 0644 {} \;
> 
> When I wrote the article back in november 2017, this resulted in a
> classic "Forbidden" error, since the SELinux context of these files is
> not httpd_sys_content_t as it should be, but user_tmp_t.
> 
> But when I try to repeat the experiment now, Apache shows no error.
> Which seems strange.
> 
> Any idea what's going on ?

The tl;dr version of my last post is : Apache is not supposed to show
static web pages with a user_tmp_t SELinux context. So why does it show
them anyway ?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux policy vs. static web content

2019-01-30 Thread Nicolas Kovacs

Hi,

Some time ago I wrote an introductory article about SELinux on my blog.
I'm currently updating it for my new blog, and I found a curious change
in SELinux policy. Here goes.

For demonstration purposes, I'm using some static webpages, more exactly
the default pages found in /usr/share/httpd/noindex, which I simply
copied over to /var/www/html.

As a first practical example, I'm copying this stuff over to /tmp/backup
and then move it back again. A vaguely similar example has been given by
Thomas Cameron in his presentation "SELinux for mere mortals", and I'm
reproducing it here with some minor modifications.

  $ cd /var/www/html/
  $ mkdir /tmp/backup
  $ cp -R * /tmp/backup/
  $ rm -rf *
  $ mv /tmp/backup/* .
  $ find . -type d -exec chmod 0755 {} \;
  $ find . -type f -exec chmod 0644 {} \;

When I wrote the article back in november 2017, this resulted in a
classic "Forbidden" error, since the SELinux context of these files is
not httpd_sys_content_t as it should be, but user_tmp_t.

But when I try to repeat the experiment now, Apache shows no error.
Which seems strange.

Any idea what's going on ?

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux policy vs. static web content

Re: [CentOS] SELinux policy vs. static web content

[CentOS] SELinux policy vs. static web content

3 matches

Site Navigation

Mail list logo

Footer information