Ubuntu
refpolicy package

selinux policy allows apache access to type shadow_t

Bug #203436 reported by tgelter
2
Affects Status Importance Assigned to Milestone
refpolicy (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: selinux-policy-refpolicy

I've been teaching selinux under RHEL for several months and just got it set up under Ubuntu, here is an observation:

root@guapuraT61:/var/www# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: refpolicy

<in case you don't believe me, here's some more output...>

root@guapuraT61:/var/www# getenforce
Enforcing

root@guapuraT61:/var/www# getsebool -a
allow_execheap --> on
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_mount_anyfile --> on
allow_polyinstantiation --> off
allow_ptrace --> off
allow_ssh_keysign --> off
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_ypbind --> off
global_ssp --> off
mail_read_content --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
read_default_t --> on
read_untrusted_content --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
ssh_sysadm_login --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
write_untrusted_content --> off
xdm_sysadm_login --> off

As far as I can tell, apache isn't protected. Here's why this is a problem:
root@guapuraT61:/var/www# ls -Z shadow
system_u:object_r:shadow_t shadow

root@guapuraT61:/var/www# links -dump http://localhost/shadow
   root:thislinehasbeenchangedforsecurity!:13919:0:99999:7:::
   daemon:*:13801:0:99999:7::: bin:*:13801:0:99999:7:::
   sys:*:13801:0:99999:7::: sync:*:13801:0:99999:7:::
   games:*:13801:0:99999:7::: man:*:13801:0:99999:7:::
   lp:*:13801:0:99999:7::: mail:*:13801:0:99999:7:::
   news:*:13801:0:99999:7::: uucp:*:13801:0:99999:7:::
                                 <***snip***>

(yes, this would be the same output that'd you'd get through a web browser, local or remote)

More info:

root@guapuraT61:/var/www# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu hardy (development branch)"

root@guapuraT61:~# apt-cache policy selinux-policy-refpolicy
selinux-policy-refpolicy:
  Installed: 0.0.20071214-0ubuntu2
  Candidate: 0.0.20071214-0ubuntu2
  Version table:
 *** 0.0.20071214-0ubuntu2 0
        500 http://archive.ubuntu.com hardy/universe Packages
        100 /var/lib/dpkg/status

Revision history for this message
Caleb Case (calebcase) wrote :

At this time apache is not protected, but we would like it to be ;o} Essentially the policy for apache from refpolicy needs to be adjusted to work on Ubuntu, tested, and packaged.

Daniel T Chen (crimsun)
Changed in refpolicy:
status: New → Confirmed
Jamie Strandboge (jdstrand)
security vulnerability: yes → no
Revision history for this message
Laurent Bigonville (bigon) wrote :

Apache should be confined with refpolicy 2:2.20131214-1 (and probably the previous one too), moreover "sesearch -A -s httpd_t -t shadow_t -c file" is returning nothing.

I'm closing this bug, feel free to reopen if you are still experiencing this bug.

Changed in refpolicy (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.