Hi, I have user apache running w2p, and this user cannot log in, has no directory, etc. I also set selinux user mapping for apache on creation to further limit what it can do. ie-
*useradd -s /sbin/nologin -d /dev/null -c 'apache webserver' -Z user_u apache* ...and I use apache to also start the homemade task queues, eg- *sudo -u apache nohup python web2py.py -S init -M -R HTQ_script.py* ...this is called by the root user since apache cannot log in. But where selinux is concerned, the HTQ script runs as the root user (because the root user uses sudo to run the command as apache) and is thus unconfined. (see e.g. https://wiki.gentoo.org/wiki/SELinux/Unconfined_domains for why this is potentially risky). i.e.- # as root *id -Z* *unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023* # as root sudo apache *sudo -u apache id -Z* *unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023* I tried messing around with sudo's '-r' param to set other user roles for apache when calling the HTQ script above (like suggested here <https://superuser.com/questions/687456/selinux-transition-from-unconfined-r-to-user-r>) but couldn't get it to work. I'm also using targeted policy and not MLS so that might be part of the issue. I started to look into this deeper but really don't want to have to sit down and read a book on selinux to figure it all out, and then started to wonder if this matters at all, anyway, and thought maybe the best thing to do would be to ask here. So the question is, is there any security risk to calling a HTQ script as a selinux unconfined user?? Thanks for any help, jl -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
