Daniel J Walsh wrote:
Jochen Wiedmann wrote:
> Paul Howarth wrote:
>
>
>> The simplest fix might be to change the file context of this particular
>> CGI script to httpd_unconfined_script_exec_t instead of
>> httpd_sys_script_t. That would effectively turn off SELinux protection
>> for that particular script.
>>
>
>
>> The alternative approach of using audit2allow to create a local policy
>> to allow these capabilities would turn on these capabilities for *all*
>> of your CGI scripts, which IMHO would be worse than turning off
>> protection for just that one script (particularly if that script was
>> well-audited for security issues).
>>
>
>
>> Ideally it would be easy to create a subclass of CGI scripts and assign
>> special capabilities to those (I have a similar issue with FastCGI
>> scripts that need slightly more capabilities than regular CGI scripts),
>> but that's beyond me at this moment.
>>
>
> As the script in question can indeed be called well-audited
> (basically, it
> just allows to trigger a certain action by calling another script with
> fixed attributes), I have decided to go with
> httpd_unconfined_script_exec_t.
> That did the trick neatly.
>
> Thanks very much,
>
> Jochen
>
Another alternative might be to write your own module
Create three files
# cat >> myapache.te << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF
echo > myapache.if
# cat >> myapache.te << _EOF
That should be myapache.fc
/var/www/cgi-bin/myapache_script --
gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF
Then build a policy module.
make -f /usr/share/selinux/devel/Makefile
semodule -i myapache.pp
restorecon -F -v /var/www/cgi-bin/myapache_script
Then try it out.
Of course you might need additional rules.
I made something similar for my moin wiki running under mod_fcgid:
te file:
policy_module(apache, 0.2.1)
require {
type devpts_t;
type httpd_t;
type httpd_log_t;
type httpd_sys_script_exec_t;
type var_run_t;
};
# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir {
search_dir_perms };
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket {
rw_stream_socket_perms };
# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;
# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;
fc file:
/srv/www/tips/cgi-bin/moin.fcgi --
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
/var/www/tips/cgi-bin/moin.fcgi --
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
Paul.