[SOLVED] selinux to allow running irsend from apache

Jeff Sadowski · #1 12th August 2012, 01:14 AM

I created execute.php as follows

Code:

<?php
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin
   1 => array("pipe", "w"),  // stdout
   2 => array("pipe", "w"),  // stderr
);
$process=proc_open('/bin/irsend list "" ""',$descriptorspec,$pipes,dirname(__FILE__), null);
if(is_resource($process))
{
    fwrite($pipes[0],"");
    fclose($pipes[0]);
    $stdout=stream_get_contents($pipes[1]);
    fclose($pipes[1]);
    $stderr=stream_get_contents($pipes[2]);
    fclose($pipes[2]);
    $return_value = proc_close($process);
}
print "[".$stderr."]";
?>

from the command line it works fine

Code:

# php execute.php 
[irsend: Philips_DVDR3570H_audio
irsend: RC-897
irsend: RC-896
irsend: amp
irsend: Denon_RC-846
irsend: DENON
irsend: denon_rc841
irsend: Denon_RC-840
irsend: RC-830
irsend: Philips_DVDR3570H
irsend: PHILIPS_RC2034302
irsend: dvd712
irsend: Philips_DVD-724
irsend: Philips_DVD711
irsend: Samsung_BN59-00940A
]

over the web it gave the error

Code:

irsend:access denied

looking around I tried the following to fix it.

Code:

chcon -u system_u -r object_r -t httpd_sys_script_exec_t /bin/irsend

now I get the following

Code:

[irsend: could not connect to socket irsend: Permission denied ]

I think it has to do with selinux. I'd like to leave selinux enabled but I can't find good documentation on how to do it.

domg472 · #2 12th August 2012, 12:44 PM

SELinux logs events in /var/log/audit/audit.log if auditd is enabled.

The auditallow utility can be used to parse the log and translate the events into policy that SELinux can understand. Using audit2allow with the -M option instructs audit2allow to build a policy module of the events that were passed to it.

One solution would be to test the application in permissive mode and then using the audt suite tools ausearch to parse recent events and pass them to audit2allow -M. then load the created module with semodule.

example:
ausearch -m avc -ts recent | audit2allow -M mymodule; semodule -i mymodule.pp

Be sure to review the mymodule .te source policy type enforcement file so that it doesnt include bad or unrelated rules.

audit2allow can be handy for simple things but it cannot make security decisions. All it does it parse, translate and compile.

Another thing to consider here is that you label the application with the httpd_sys_script_exec_t type. This will tell selinux that is apache or a php script that runs on behalf of apache runs the app, the process type should transition from httpd_t to http_sys_scrip_t.

Process types are like sandboxes. The httpd_sys_script_t type is a type/sandboxfor generic httpd/cgi scripts. So if you follow the steps i pointed out above then you will basically extend the generic cgi script domain so that your app can do what it needs.

However any other script that runs in the generic script domain now also has these permissions.

So that is not a optimal.

instead you could create a new process type that is used just for your app and then extend that. so that it does not affect your other generic scripts.

mkdir ~/myapp;
cd ~/myapp; echo "policy_module(myapp, 1.0.0) apache_content_template(myapp)" > myapp.te;
make -f /usr/share/selinux/devel/Makefile myapp.pp
sudo semodule -i myapp.pp

Then label the /bin/irsend command with the new script executable type that was generated from the apache content template:

sudo semanage fcontext -a -t httpd_myapp_script_exec_t /bin/irsend
sudo restorecon -v /bin/irsend

Then in permissive mode test the utility:

setenforce 0
* do tests *
setenforce 1

The use ausearch, audit2allow and semodule to extend the current httpd_myapp_script_t domain:

ausearch -m avc -ts recent | audit2allow -r >> ~/myapp/myapp.te
* review the myapp.te file*
make -f /usr/share/selinux/devel/Makefile myapp.pp
semodule -i myapp.pp

That is in a nutshell probably one of the easiest ways to achieve this.

there is also a sepolgen tool that tries to make this simple but i am not sure whether it is good to use it in this case ( the case where you create a apache cgi domain )

Jeff Sadowski · #3 13th August 2012, 05:42 AM

Thank you so much domg472. That worked pretty good.
It looks like I'm able to run irsend from any php script ran from apache now.
This works for me but it looks like you where trying to get it so only the one script would work with it.

Also how would I use the process you layed out with other programs?
could I just change httpd?