Jochen Wiedmann wrote:
Paul Howarth wrote:
> The simplest fix might be to change the file context of this particular
> CGI script to httpd_unconfined_script_exec_t instead of
> httpd_sys_script_t. That would effectively turn off SELinux protection
> for that particular script.
>
> The alternative approach of using audit2allow to create a local policy
> to allow these capabilities would turn on these capabilities for *all*
> of your CGI scripts, which IMHO would be worse than turning off
> protection for just that one script (particularly if that script was
> well-audited for security issues).
>
> Ideally it would be easy to create a subclass of CGI scripts and assign
> special capabilities to those (I have a similar issue with FastCGI
> scripts that need slightly more capabilities than regular CGI scripts),
> but that's beyond me at this moment.
>
As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
Another alternative might be to write your own module
Create three files
# cat >> myapache.te << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF
echo > myapache.if
# cat >> myapache.te << _EOF
/var/www/cgi-bin/myapache_script --
gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF
Then build a policy module.
make -f /usr/share/selinux/devel/Makefile
semodule -i myapache.pp
restorecon -F -v /var/www/cgi-bin/myapache_script
Then try it out.
Of course you might need additional rules.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list