On Thursday 02 December 2010 17:47:04 Daniel J Walsh wrote:

> On 12/02/2010 12:44 PM, Tony Molloy wrote:

> > On Thursday 02 December 2010 17:37:54 m.roth@5-cent.us wrote:

> >> Tony Molloy wrote:

> >>> On Thursday 02 December 2010 15:56:59 m.roth@5-cent.us wrote:

> >>>> Daniel J Walsh wrote:

> >>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:

> >>>>>> Hi,

> >>>>>>

> >>>>>> I'm running http on a fully updated Centos 5 system.

> >>>>>>

> >>>>>> httpd-2.2.3-43.el5.centos.3.x86_64

> >>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch

> >>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

> >>>>>>

> >>>>>> I'm trying to run a cgi script from a user directory.

> >>>>

> >>>> <MVNCH>

> >>>>

> >>>>> Do you have httpd_suexec_disable_trans turned on?

> >>>>

> >>>> Actually, what bothers me is trying to run a .cgi from a user's

> >>>> directory. Can't you create a directory ->under the apache

> >>

> >> <Directory><- that the

> >>

> >>>> users can put scripts in for testing? (I assume that once they're

> >>>> good, they go into the real production location for .cgi.)

> >>>

> >>> Not so easily done ;-)

> >>>

> >>> This is a University environment with several hundred faculty/students

> >>> wanting to use this server to run/check assignments. So they have ftp

> >>

> >> accounts

> >>

> >>> where they can upload any scripts to their public_html directory and

> >>> run

> >>

> >> them

> >>

> >>> from there.

> >>

> >> I figured it was something like that. What I was thinking was

> >>

> >> /var/www/html/public_cgi/<students' directories>

> >>

> >> which would put them in a *legitimate* place for apache to be happy

> >> with, and which selinux would be happy with.

> >>

> >> You *might* need to add them to a group named something like pubcgi, and

> >> make the above group acceptable to selinux and apache.

> >>

> >> mark

> >

> > Interesting idea. I could give it a try next semester.

> >

> > Thanks,

> >

> > Tony

>

> It should not be necessary. public_html labeled correctly will work.

> THe problem you are seeing is that this boolean was set causing suexec

> to not work.

Ok I spoke too soon.

Current situation:

httpd booleans

--------------

[root@garryowen ~]# getsebool -a | grep http

allow_httpd_anon_write --> on

allow_httpd_bugzilla_script_anon_write --> off

allow_httpd_cvs_script_anon_write --> off

allow_httpd_mod_auth_pam --> off

allow_httpd_nagios_script_anon_write --> off

allow_httpd_prewikka_script_anon_write --> off

allow_httpd_squid_script_anon_write --> off

allow_httpd_sys_script_anon_write --> on

httpd_builtin_scripting --> on

httpd_can_network_connect --> on

httpd_can_network_connect_db --> off

httpd_can_network_relay --> on

httpd_can_sendmail --> on

httpd_disable_trans --> off

httpd_enable_cgi --> on

httpd_enable_ftp_server --> off

httpd_enable_homedirs --> on

httpd_read_user_content --> off

httpd_rotatelogs_disable_trans --> off

httpd_ssi_exec --> off

httpd_suexec_disable_trans --> off

httpd_tty_comm --> on

httpd_unified --> on

httpd_use_cifs --> off

httpd_use_nfs --> off

SELinux contexts

----------------

cd /var/pub/ftp

user directory

drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp

cd healyp

drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html

^^^^^^

cd public_html

drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin

^^^

cd cgi-bin

-rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi

^^^

Do these look correct.

Now when I switch SElinux to enforcing it doesn't work, when I switch it to permissive I get a different AVC.

[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux denied access requested by suexec. It is not expected that this access is required by suexec and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./ftp,

restorecon -v './ftp'

If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

Raw Audit Messages :

host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied { search } for pid=8199 comm="suexec" name="ftp" dev=sda5 ino=65537 scontext=system_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir

host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied { search } for pid=8199 comm="suexec" name="healyp" dev=sda10 ino=9638241 scontext=system_u:system_r:httpd_suexec_t:s0 tcontext=root:object_r:public_content_rw_t:s0 tclass=dir

host=garryowen.x.y.z type=SYSCALL msg=audit(1291315633.784:98283): arch=c000003e syscall=80 success=yes exit=0 a0=2b86038ddde0 a1=1000 a2=0 a3=0 items=0 ppid=789 pid=8199 auid=4294967295 uid=734 gid=803 euid=734 suid=734 fsuid=734 egid=803 sgid=803 fsgid=803 tty=(none) ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_suexec_t:s0 key=(null)

Now I can generate a local policy to allow access.

Thanks,

Tony