Gecko [ www.thearyasamaj.org ]

Name	Size	Permission
__pycache__	[ DIR ]	drwxr-xr-x
__init__.py	2 B	-rw-r--r--
allow_anon_write.py	3.25 KB	-rw-r--r--
allow_execheap.py	2.39 KB	-rw-r--r--
allow_execmem.py	3.07 KB	-rw-r--r--
allow_execmod.py	5.41 KB	-rw-r--r--
allow_execstack.py	4.73 KB	-rw-r--r--
allow_ftpd_use_cifs.py	3.41 KB	-rw-r--r--
allow_ftpd_use_nfs.py	3.3 KB	-rw-r--r--
associate.py	2.15 KB	-rw-r--r--
automount_exec_config.py	2.66 KB	-rw-r--r--
bind_ports.py	2.81 KB	-rw-r--r--
catchall.py	2.89 KB	-rw-r--r--
catchall_boolean.py	2.89 KB	-rw-r--r--
catchall_labels.py	2.2 KB	-rw-r--r--
chrome.py	2.6 KB	-rw-r--r--
connect_ports.py	2.68 KB	-rw-r--r--
cvs_data.py	2.58 KB	-rw-r--r--
dac_override.py	2.1 KB	-rw-r--r--
device.py	2.74 KB	-rw-r--r--
disable_ipv6.py	1.62 KB	-rw-r--r--
file.py	3.21 KB	-rw-r--r--
filesystem_associate.py	2.46 KB	-rw-r--r--
httpd_can_sendmail.py	1.93 KB	-rw-r--r--
httpd_unified.py	2.86 KB	-rw-r--r--
httpd_write_content.py	2.11 KB	-rw-r--r--
kernel_modules.py	2.74 KB	-rw-r--r--
leaks.py	2.49 KB	-rw-r--r--
mmap_zero.py	2.33 KB	-rw-r--r--
mounton.py	2.48 KB	-rw-r--r--
mozplugger.py	2.79 KB	-rw-r--r--
mozplugger_remove.py	2.17 KB	-rw-r--r--
openvpn.py	2.76 KB	-rw-r--r--
public_content.py	2.57 KB	-rw-r--r--
qemu_blk_image.py	2.55 KB	-rw-r--r--
qemu_file_image.py	2.88 KB	-rw-r--r--
restorecon.py	5.32 KB	-rw-r--r--
restorecon_source.py	3.01 KB	-rw-r--r--
rsync_data.py	2.53 KB	-rw-r--r--
samba_share.py	2.94 KB	-rw-r--r--
sandbox_connect.py	2.23 KB	-rw-r--r--
selinuxpolicy.py	3.09 KB	-rw-r--r--
setenforce.py	2.39 KB	-rw-r--r--
sshd_root.py	2.08 KB	-rw-r--r--
swapfile.py	2.23 KB	-rw-r--r--
sys_module.py	2.35 KB	-rw-r--r--
sys_resource.py	2.62 KB	-rw-r--r--
vbetool.py	2.52 KB	-rw-r--r--
wine.py	2.92 KB	-rw-r--r--
xen_image.py	2.8 KB	-rw-r--r--

Code Editor : allow_anon_write.py

#
# Copyright (C) 2006 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

import gettext
translation=gettext.translation('setroubleshoot-plugins', fallback=True)
_=translation.gettext

from setroubleshoot.util import *
from setroubleshoot.Plugin import Plugin

class plugin(Plugin):
    summary =_('''
    SELinux policy is preventing an httpd script from writing to a public
    directory.
    ''')

problem_description = _('''
    SELinux policy is preventing an httpd script from writing to a public
    directory.  If httpd is not setup to write to public directories, this
    could signal an intrusion attempt.
    ''')

fix_description = _('''
    If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t.  Read the httpd_selinux
    man page for further information:
    "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
    You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel.  "semanage fcontext -a -t public_content_rw_t <path>"
    ''')
    if_text = _("If you want to allow $SOURCE_PATH to be able to write to shared public content")
    then_text = _("you need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.")

def get_do_text(self, avc, args):
        do_text = """# semanage fcontext -a -t public_content_rw_t $TARGET_PATH
# restorecon -R -v $TARGET_PATH
# setsebool -P %s %s""" % args
        return do_text

def __init__(self):
        Plugin.__init__(self, __name__)
        self.level="green"

def analyze(self, avc):
        if (avc.matches_target_types(['public_content_t']) and
                avc.all_accesses_are_in(avc.create_file_perms)):

if avc.matches_source_types(['httpd_t']):
                return self.report(('allow_httpd_anon_write', "1"))

if avc.matches_source_types(['httpd_sys_script_t']):
                return self.report(('allow_httpd_sys_script_anon_write', "1"))

if avc.matches_source_types(['ftpd_t']):
                return self.report(('allow_ftpd_anon_write', "1"))

if avc.matches_source_types(['nfsd_t']):
                return self.report(('allow_nfsd_anon_write', "1"))

if avc.matches_source_types(['rsync_t']):
                return self.report(('allow_rsync_anon_write', "1"))

if avc.matches_source_types(['smbd_t']):
                return self.report(('allow_smbd_anon_write', "1"))

return None

${this.title}

Code Editor : allow_anon_write.py