8:35 a.m.
Hi,
I'm running http on a fully updated Centos 5 system.
httpd-2.2.3-43.el5.centos.3.x86_64
selinux-policy-2.4.6-279.el5_5.2.noarch
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
I'm trying to run a cgi script from a user directory.
With SELinux enabled I get the following error.
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
(13)Permission denied: exec of '/usr/sbin/suexec' failed
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
Premature end of script headers: survey.cgi
With SELinux in permissive mode I get the following AVC
Summary:
SELinux prevented httpd executing access to http files.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux prevented httpd executing access to http files. Ordinarily httpd is
allowed full access to all files labeled with http file context. This machine
has a tightened security policy with the httpd_unified turned off, this
requires
explicit labeling of all files. If a file is a cgi script it needs to be
labeled
with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
content, it needs to be labeled httpd_TYPE_content_t, it is writable content.
it
needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
use the chcon command to change these contexts. Please refer to the man page
"man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)
"TYPE" refers to one of "sys", "user" or "staff"
or potentially other script
types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access:
"setsebool -P httpd_unified=1"
The following command will allow this access:
setsebool -P httpd_unified=1
Additional Information:
Source Context system_u:system_r:httpd_t
Target Context system_u:object_r:httpd_suexec_exec_t
Target Objects /usr/sbin/suexec [ file ]
Source suexec
Source Path /usr/sbin/suexec
Port <Unknown>
Host a.b.c.d
Source RPM Packages httpd-2.2.3-43.el5.centos.3
Target RPM Packages httpd-2.2.3-43.el5.centos.
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name httpd_unified
Host Name a.b.c.d
Platform Linux a.b.c.d 2.6.18-194.17.4.el5
#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
Alert Count 2
First Seen Thu Dec 2 13:09:20 2010
Last Seen Thu Dec 2 13:33:32 2010
Local ID 4a26d013-6f04-4a0f-af21-760368cc9908
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec"
dev=sda2
ino=1791541 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8
a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0
fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec"
exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
So it suggests "setsebool -P httpd_unified=1" will allow this access.
However getsebool -a | grep http gives
httpd_unified --> on
So it is allready on.
Thanks,
Tony
9:04 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 09:35 AM, Tony Molloy wrote:
Hi,
I'm running http on a fully updated Centos 5 system.
httpd-2.2.3-43.el5.centos.3.x86_64
selinux-policy-2.4.6-279.el5_5.2.noarch
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
I'm trying to run a cgi script from a user directory.
With SELinux enabled I get the following error.
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
(13)Permission denied: exec of '/usr/sbin/suexec' failed
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
Premature end of script headers: survey.cgi
With SELinux in permissive mode I get the following AVC
Summary:
SELinux prevented httpd executing access to http files.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux prevented httpd executing access to http files. Ordinarily httpd is
allowed full access to all files labeled with http file context. This machine
has a tightened security policy with the httpd_unified turned off, this
requires
explicit labeling of all files. If a file is a cgi script it needs to be
labeled
with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
content, it needs to be labeled httpd_TYPE_content_t, it is writable content.
it
needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
use the chcon command to change these contexts. Please refer to the man page
"man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)
"TYPE" refers to one of "sys", "user" or "staff"
or potentially other script
types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access:
"setsebool -P httpd_unified=1"
The following command will allow this access:
setsebool -P httpd_unified=1
Additional Information:
Source Context system_u:system_r:httpd_t
Target Context system_u:object_r:httpd_suexec_exec_t
Target Objects /usr/sbin/suexec [ file ]
Source suexec
Source Path /usr/sbin/suexec
Port <Unknown>
Host a.b.c.d
Source RPM Packages httpd-2.2.3-43.el5.centos.3
Target RPM Packages httpd-2.2.3-43.el5.centos.
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name httpd_unified
Host Name a.b.c.d
Platform Linux a.b.c.d 2.6.18-194.17.4.el5
#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
Alert Count 2
First Seen Thu Dec 2 13:09:20 2010
Last Seen Thu Dec 2 13:33:32 2010
Local ID 4a26d013-6f04-4a0f-af21-760368cc9908
Line Numbers
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec"
dev=sda2
ino=1791541 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8
a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0
fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec"
exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
So it suggests "setsebool -P httpd_unified=1" will allow this access.
However getsebool -a | grep http gives
httpd_unified --> on
So it is allready on.
Thanks,
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Do you have
httpd_suexec_disable_trans turned on?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz3tXgACgkQrlYvE4MpobNvqACgyPDZttnqlfsDScV9lgqXOWfR
fL0AoOLMqXXVp3QsD43emMuwZzUsFXs6
=xSNL
-----END PGP SIGNATURE-----
9:56 a.m.
Daniel J Walsh wrote:
On 12/02/2010 09:35 AM, Tony Molloy wrote:
>
> Hi,
>
> I'm running http on a fully updated Centos 5 system.
>
> httpd-2.2.3-43.el5.centos.3.x86_64
> selinux-policy-2.4.6-279.el5_5.2.noarch
> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>
>
> I'm trying to run a cgi script from a user directory.
<MVNCH>
Do you have httpd_suexec_disable_trans turned on?
Actually, what bothers me is trying to run a .cgi from a user's directory.
Can't you create a directory ->under the apache <Directory><- that the
users can put scripts in for testing? (I assume that once they're good,
they go into the real production location for .cgi.)
mark
11:22 a.m.
On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
Daniel J Walsh wrote:
> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>> Hi,
>>
>> I'm running http on a fully updated Centos 5 system.
>>
>> httpd-2.2.3-43.el5.centos.3.x86_64
>> selinux-policy-2.4.6-279.el5_5.2.noarch
>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>
>>
>> I'm trying to run a cgi script from a user directory.
<MVNCH>
> Do you have httpd_suexec_disable_trans turned on?
Actually, what bothers me is trying to run a .cgi from a user's directory.
Can't you create a directory ->under the apache <Directory><- that the
users can put scripts in for testing? (I assume that once they're good,
they go into the real production location for .cgi.)
mark
Not so easily done ;-)
This is a University environment with several hundred faculty/students wanting
to use this server to run/check assignments. So they have ftp accounts where
they can upload any scripts to their public_html directory and run them from
there.
Thanks,
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
11:37 a.m.
Tony Molloy wrote:
On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
> Daniel J Walsh wrote:
> > On 12/02/2010 09:35 AM, Tony Molloy wrote:
> >> Hi,
> >>
> >> I'm running http on a fully updated Centos 5 system.
> >>
> >> httpd-2.2.3-43.el5.centos.3.x86_64
> >> selinux-policy-2.4.6-279.el5_5.2.noarch
> >> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
> >>
> >> I'm trying to run a cgi script from a user directory.
>
> <MVNCH>
>
> > Do you have httpd_suexec_disable_trans turned on?
>
> Actually, what bothers me is trying to run a .cgi from a user's
> directory. Can't you create a directory ->under the apache
<Directory><- that the
> users can put scripts in for testing? (I assume that once
they're good,
> they go into the real production location for .cgi.)
>
Not so easily done ;-)
This is a University environment with several hundred faculty/students
wanting to use this server to run/check assignments. So they have ftp
accounts
where they can upload any scripts to their public_html directory and
run
them
from there.
I figured it was something like that. What I was thinking was
/var/www/html/public_cgi/<students' directories>
which would put them in a *legitimate* place for apache to be happy with,
and which selinux would be happy with.
You *might* need to add them to a group named something like pubcgi, and
make the above group acceptable to selinux and apache.
mark
11:44 a.m.
On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
Tony Molloy wrote:
> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>> Daniel J Walsh wrote:
>> > On 12/02/2010 09:35 AM, Tony Molloy wrote:
>> >> Hi,
>> >>
>> >> I'm running http on a fully updated Centos 5 system.
>> >>
>> >> httpd-2.2.3-43.el5.centos.3.x86_64
>> >> selinux-policy-2.4.6-279.el5_5.2.noarch
>> >> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>> >>
>> >> I'm trying to run a cgi script from a user directory.
>>
>> <MVNCH>
>>
>> > Do you have httpd_suexec_disable_trans turned on?
>>
>> Actually, what bothers me is trying to run a .cgi from a user's
>> directory. Can't you create a directory ->under the apache
<Directory><- that the
>> users can put scripts in for testing? (I assume that once they're good,
>> they go into the real production location for .cgi.)
>
> Not so easily done ;-)
>
> This is a University environment with several hundred faculty/students
> wanting to use this server to run/check assignments. So they have ftp
accounts
> where they can upload any scripts to their public_html directory and run
them
> from there.
I figured it was something like that. What I was thinking was
/var/www/html/public_cgi/<students' directories>
which would put them in a *legitimate* place for apache to be happy with,
and which selinux would be happy with.
You *might* need to add them to a group named something like pubcgi, and
make the above group acceptable to selinux and apache.
mark
Interesting idea. I could give it a try next semester.
Thanks,
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
11:47 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 12:44 PM, Tony Molloy wrote:
On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
> Tony Molloy wrote:
>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>> Daniel J Walsh wrote:
>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>> Hi,
>>>>>
>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>
>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>
>>>>> I'm trying to run a cgi script from a user directory.
>>>
>>> <MVNCH>
>>>
>>>> Do you have httpd_suexec_disable_trans turned on?
>>>
>>> Actually, what bothers me is trying to run a .cgi from a user's
>>> directory. Can't you create a directory ->under the apache
>
> <Directory><- that the
>
>>> users can put scripts in for testing? (I assume that once they're good,
>>> they go into the real production location for .cgi.)
>>
>> Not so easily done ;-)
>>
>> This is a University environment with several hundred faculty/students
>> wanting to use this server to run/check assignments. So they have ftp
>
> accounts
>
>> where they can upload any scripts to their public_html directory and run
>
> them
>
>> from there.
>
> I figured it was something like that. What I was thinking was
>
> /var/www/html/public_cgi/<students' directories>
> which would put them in a *legitimate* place for apache to be happy with,
> and which selinux would be happy with.
>
> You *might* need to add them to a group named something like pubcgi, and
> make the above group acceptable to selinux and apache.
>
> mark
Interesting idea. I could give it a try next semester.
Thanks,
Tony
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
It should not be necessary. public_html labeled correctly will work.
THe problem you are seeing is that this boolean was set causing suexec
to not work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz325gACgkQrlYvE4MpobOOLACeJYTbcor9wJPcrl+RrgdQIJAU
awIAoLvCrmAv13LkxKFFBHguGBRb76PE
=NYWQ
-----END PGP SIGNATURE-----
12:10 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
On 12/02/2010 12:44 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>> Tony Molloy wrote:
>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>
>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>
>>>>>> I'm trying to run a cgi script from a user directory.
>>>>
>>>> <MVNCH>
>>>>
>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>
>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>> directory. Can't you create a directory ->under the apache
>>
>> <Directory><- that the
>>
>>>> users can put scripts in for testing? (I assume that once they're
good,
>>>> they go into the real production location for .cgi.)
>>>
>>> Not so easily done ;-)
>>>
>>> This is a University environment with several hundred faculty/students
>>> wanting to use this server to run/check assignments. So they have ftp
>>
>> accounts
>>
>>> where they can upload any scripts to their public_html directory and run
>>
>> them
>>
>>> from there.
>>
>> I figured it was something like that. What I was thinking was
>>
>> /var/www/html/public_cgi/<students' directories>
>> which would put them in a *legitimate* place for apache to be happy with,
>> and which selinux would be happy with.
>>
>> You *might* need to add them to a group named something like pubcgi, and
>> make the above group acceptable to selinux and apache.
>>
>> mark
> Interesting idea. I could give it a try next semester.
Not sure if suexec would work if you set it up that way
I've ~/public_html/cgi-bin
~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
with suexec.
> Thanks,
> Tony
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
It should not be necessary. public_html labeled correctly will work.
THe problem you are seeing is that this boolean was set causing suexec
to not work.
- --
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz34Q0ACgkQMlxVo39jgT9yFwCfTep/Aw2nQEb6A7HFQN10C6k+
r+4AoJVM/nc2qA+JTgLoaiOxEV1oDq5Q
=W8LY
-----END PGP SIGNATURE-----
12:27 p.m.
On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>> Tony Molloy wrote:
>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>
>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>
>>>>>>> I'm trying to run a cgi script from a user directory.
>>>>>
>>>>> <MVNCH>
>>>>>
>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>
>>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>>> directory. Can't you create a directory ->under the apache
>>>
>>> <Directory><- that the
>>>
>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>> good, they go into the real production location for .cgi.)
>>>>
>>>> Not so easily done ;-)
>>>>
>>>> This is a University environment with several hundred faculty/students
>>>> wanting to use this server to run/check assignments. So they have ftp
>>>
>>> accounts
>>>
>>>> where they can upload any scripts to their public_html directory and
>>>> run
>>>
>>> them
>>>
>>>> from there.
>>>
>>> I figured it was something like that. What I was thinking was
>>>
>>> /var/www/html/public_cgi/<students' directories>
>>>
>>> which would put them in a *legitimate* place for apache to be happy
>>> with, and which selinux would be happy with.
>>>
>>> You *might* need to add them to a group named something like pubcgi,
>>> and make the above group acceptable to selinux and apache.
>>>
>>> mark
>>
>> Interesting idea. I could give it a try next semester.
Not sure if suexec would work if you set it up that way
I've ~/public_html/cgi-bin
~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
with suexec.
I'm not clear what you are saying here.
My SELinux contexts
-------------------
cd /var/pub/ftp
user directory
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
cd healyp
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
^^^^^^
cd public_html
drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
^^^
cd cgi-bin
-rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
^^^
Are you suggesting that ^^^ should be user instead of sys. Would that make a
difference.
Thanks,
Tony
>> Thanks,
>>
>> Tony
>
> It should not be necessary. public_html labeled correctly will work.
> THe problem you are seeing is that this boolean was set causing suexec
> to not work.
12:49 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 07:27 PM, Tony Molloy wrote:
On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>> Tony Molloy wrote:
>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>>
>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>
>>>>>>>> I'm trying to run a cgi script from a user
directory.
>>>>>>
>>>>>> <MVNCH>
>>>>>>
>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>
>>>>>> Actually, what bothers me is trying to run a .cgi from a
user's
>>>>>> directory. Can't you create a directory ->under the
apache
>>>>
>>>> <Directory><- that the
>>>>
>>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>>> good, they go into the real production location for .cgi.)
>>>>>
>>>>> Not so easily done ;-)
>>>>>
>>>>> This is a University environment with several hundred
faculty/students
>>>>> wanting to use this server to run/check assignments. So they have
ftp
>>>>
>>>> accounts
>>>>
>>>>> where they can upload any scripts to their public_html directory and
>>>>> run
>>>>
>>>> them
>>>>
>>>>> from there.
>>>>
>>>> I figured it was something like that. What I was thinking was
>>>>
>>>> /var/www/html/public_cgi/<students' directories>
>>>>
>>>> which would put them in a *legitimate* place for apache to be happy
>>>> with, and which selinux would be happy with.
>>>>
>>>> You *might* need to add them to a group named something like pubcgi,
>>>> and make the above group acceptable to selinux and apache.
>>>>
>>>> mark
>>>
>>> Interesting idea. I could give it a try next semester.
>
> Not sure if suexec would work if you set it up that way
>
> I've ~/public_html/cgi-bin
> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
> with suexec.
>
I'm not clear what you are saying here.
My SELinux contexts
-------------------
cd /var/pub/ftp
user directory
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
cd healyp
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
^^^^^^
cd public_html
drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
^^^
cd cgi-bin
-rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
^^^
Are you suggesting that ^^^ should be user instead of sys. Would that make a
difference.
Well if that type exists in your distro than its preferred that you use
it yes. if the httpd_user* types do not exist then you can just use
http_sys* types.
There are some minor differences. One of which is that http_user* types
are user content, meaning users can manage and relabel it. Where
httpd_sys* types are system content types and users *may* not be able to
do all the things the would like to it
I am not sure how that was designed on el5. But in el6 and fedora 14,
you should use httpd_user* types in ~ in my opinion.
But httpd_sys* types also work for the most part. its just not optimal
Thanks,
Tony
>>> Thanks,
>>>
>>> Tony
>>
>> It should not be necessary. public_html labeled correctly will work.
>> THe problem you are seeing is that this boolean was set causing suexec
>> to not work.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz36j4ACgkQMlxVo39jgT8XRwCgoP3iAeiApYNjPgYaeVCl5lgQ
nn4An2Iyuhz7mXFPoHo9aQU4h5/Zal99
=gFag
-----END PGP SIGNATURE-----
12:58 p.m.
On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
On 12/02/2010 07:27 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>>> Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I'm running http on a fully updated Centos 5
system.
>>>>>>>>>
>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>
>>>>>>>>> I'm trying to run a cgi script from a user
directory.
>>>>>>>
>>>>>>> <MVNCH>
>>>>>>>
>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>
>>>>>>> Actually, what bothers me is trying to run a .cgi from a
user's
>>>>>>> directory. Can't you create a directory ->under the
apache
>>>>>
>>>>> <Directory><- that the
>>>>>
>>>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>>>> good, they go into the real production location for .cgi.)
>>>>>>
>>>>>> Not so easily done ;-)
>>>>>>
>>>>>> This is a University environment with several hundred
>>>>>> faculty/students wanting to use this server to run/check
>>>>>> assignments. So they have ftp
>>>>>
>>>>> accounts
>>>>>
>>>>>> where they can upload any scripts to their public_html directory
and
>>>>>> run
>>>>>
>>>>> them
>>>>>
>>>>>> from there.
>>>>>
>>>>> I figured it was something like that. What I was thinking was
>>>>>
>>>>> /var/www/html/public_cgi/<students' directories>
>>>>>
>>>>> which would put them in a *legitimate* place for apache to be happy
>>>>> with, and which selinux would be happy with.
>>>>>
>>>>> You *might* need to add them to a group named something like
pubcgi,
>>>>> and make the above group acceptable to selinux and apache.
>>>>>
>>>>> mark
>>>>
>>>> Interesting idea. I could give it a try next semester.
>>
>> Not sure if suexec would work if you set it up that way
>>
>> I've ~/public_html/cgi-bin
>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
>> with suexec.
>
> I'm not clear what you are saying here.
>
> My SELinux contexts
> -------------------
>
> cd /var/pub/ftp
>
> user directory
>
> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>
> cd healyp
>
> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
>
> ^^^^^^
>
> cd public_html
>
> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
>
> ^^^
>
> cd cgi-bin
>
> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
> survey.cgi
>
> ^^^
>
> Are you suggesting that ^^^ should be user instead of sys. Would that
> make a difference.
Well if that type exists in your distro than its preferred that you use
it yes. if the httpd_user* types do not exist then you can just use
http_sys* types.
There are some minor differences. One of which is that http_user* types
are user content, meaning users can manage and relabel it. Where
httpd_sys* types are system content types and users *may* not be able to
do all the things the would like to it
I am not sure how that was designed on el5. But in el6 and fedora 14,
you should use httpd_user* types in ~ in my opinion.
But httpd_sys* types also work for the most part. its just not optimal
Ok I don't want the users being able to relabel anything. They are mostly
students and cause enough problems as it is.
Tony
> Thanks,
>
> Tony
>
>>>> Thanks,
>>>>
>>>> Tony
>>>
>>> It should not be necessary. public_html labeled correctly will work.
>>> THe problem you are seeing is that this boolean was set causing suexec
>>> to not work.
1:07 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 07:58 PM, Tony Molloy wrote:
On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>>>> Tony Molloy wrote:
>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us
wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I'm running http on a fully updated Centos 5
system.
>>>>>>>>>>
>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>
>>>>>>>>>> I'm trying to run a cgi script from a user
directory.
>>>>>>>>
>>>>>>>> <MVNCH>
>>>>>>>>
>>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>>
>>>>>>>> Actually, what bothers me is trying to run a .cgi from a
user's
>>>>>>>> directory. Can't you create a directory ->under
the apache
>>>>>>
>>>>>> <Directory><- that the
>>>>>>
>>>>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>>>>> good, they go into the real production location for
.cgi.)
>>>>>>>
>>>>>>> Not so easily done ;-)
>>>>>>>
>>>>>>> This is a University environment with several hundred
>>>>>>> faculty/students wanting to use this server to run/check
>>>>>>> assignments. So they have ftp
>>>>>>
>>>>>> accounts
>>>>>>
>>>>>>> where they can upload any scripts to their public_html
directory and
>>>>>>> run
>>>>>>
>>>>>> them
>>>>>>
>>>>>>> from there.
>>>>>>
>>>>>> I figured it was something like that. What I was thinking was
>>>>>>
>>>>>> /var/www/html/public_cgi/<students' directories>
>>>>>>
>>>>>> which would put them in a *legitimate* place for apache to be
happy
>>>>>> with, and which selinux would be happy with.
>>>>>>
>>>>>> You *might* need to add them to a group named something like
pubcgi,
>>>>>> and make the above group acceptable to selinux and apache.
>>>>>>
>>>>>> mark
>>>>>
>>>>> Interesting idea. I could give it a try next semester.
>>>
>>> Not sure if suexec would work if you set it up that way
>>>
>>> I've ~/public_html/cgi-bin
>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
>>> with suexec.
>>
>> I'm not clear what you are saying here.
>>
>> My SELinux contexts
>> -------------------
>>
>> cd /var/pub/ftp
>>
>> user directory
>>
>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>>
>> cd healyp
>>
>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
>>
>> ^^^^^^
>>
>> cd public_html
>>
>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
>>
>> ^^^
>>
>> cd cgi-bin
>>
>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>> survey.cgi
>>
>> ^^^
>>
>> Are you suggesting that ^^^ should be user instead of sys. Would that
>> make a difference.
>
> Well if that type exists in your distro than its preferred that you use
> it yes. if the httpd_user* types do not exist then you can just use
> http_sys* types.
>
> There are some minor differences. One of which is that http_user* types
> are user content, meaning users can manage and relabel it. Where
> httpd_sys* types are system content types and users *may* not be able to
> do all the things the would like to it
>
> I am not sure how that was designed on el5. But in el6 and fedora 14,
> you should use httpd_user* types in ~ in my opinion.
>
> But httpd_sys* types also work for the most part. its just not optimal
>
Ok I don't want the users being able to relabel anything. They are mostly
students and cause enough problems as it is.
well i am not saying they can relabel everything they just relabel to
and from httpd_user* types. Could be useful. For example a student
moving a script from his home directory to his public_html/cgi-bin
directory could cause issue possibly requiring intervention if its not
httpd_user* type.
In my view a user should be able to restore context of all contents in
his home dir.
Therefore i would not use httpd_sys* types or public_content* types in
users home directories.
i would probably just
adduser joe
mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
~/public_html/cgi-bin
Heck you wouldnt even have to set it up yourself, since your students
have access to both types they could just do it themselves.
Tony
>> Thanks,
>>
>> Tony
>>
>>>>> Thanks,
>>>>>
>>>>> Tony
>>>>
>>>> It should not be necessary. public_html labeled correctly will work.
>>>> THe problem you are seeing is that this boolean was set causing suexec
>>>> to not work.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz37nQACgkQMlxVo39jgT8LSQCgpXKgfSC7MG+4jXXBbeNy4+z6
HvwAoI4q8fYYEYlayepfQL6WJpphsIBW
=/Nye
-----END PGP SIGNATURE-----
1:21 p.m.
On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
On 12/02/2010 07:58 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
>> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>>>>> Tony Molloy wrote:
>>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us
wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I'm running http on a fully updated
Centos 5 system.
>>>>>>>>>>>
>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to run a cgi script from a
user directory.
>>>>>>>>>
>>>>>>>>> <MVNCH>
>>>>>>>>>
>>>>>>>>>> Do you have httpd_suexec_disable_trans turned
on?
>>>>>>>>>
>>>>>>>>> Actually, what bothers me is trying to run a .cgi
from a user's
>>>>>>>>> directory. Can't you create a directory
->under the apache
>>>>>>>
>>>>>>> <Directory><- that the
>>>>>>>
>>>>>>>>> users can put scripts in for testing? (I assume that
once they're
>>>>>>>>> good, they go into the real production location for
.cgi.)
>>>>>>>>
>>>>>>>> Not so easily done ;-)
>>>>>>>>
>>>>>>>> This is a University environment with several hundred
>>>>>>>> faculty/students wanting to use this server to
run/check
>>>>>>>> assignments. So they have ftp
>>>>>>>
>>>>>>> accounts
>>>>>>>
>>>>>>>> where they can upload any scripts to their public_html
directory
>>>>>>>> and run
>>>>>>>
>>>>>>> them
>>>>>>>
>>>>>>>> from there.
>>>>>>>
>>>>>>> I figured it was something like that. What I was thinking
was
>>>>>>>
>>>>>>> /var/www/html/public_cgi/<students'
directories>
>>>>>>>
>>>>>>> which would put them in a *legitimate* place for apache to
be happy
>>>>>>> with, and which selinux would be happy with.
>>>>>>>
>>>>>>> You *might* need to add them to a group named something
like
>>>>>>> pubcgi, and make the above group acceptable to selinux and
apache.
>>>>>>>
>>>>>>> mark
>>>>>>
>>>>>> Interesting idea. I could give it a try next semester.
>>>>
>>>> Not sure if suexec would work if you set it up that way
>>>>
>>>> I've ~/public_html/cgi-bin
>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just
>>>> dandy with suexec.
>>>
>>> I'm not clear what you are saying here.
>>>
>>> My SELinux contexts
>>> -------------------
>>>
>>> cd /var/pub/ftp
>>>
>>> user directory
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>>>
>>> cd healyp
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t
>>> public_html
>>>
>>> ^^^^^^
>>>
>>> cd public_html
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>> cgi-bin
>>>
>>> ^^^
>>>
>>> cd cgi-bin
>>>
>>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>> survey.cgi
>>>
>>> ^^^
>>>
>>> Are you suggesting that ^^^ should be user instead of sys. Would that
>>> make a difference.
>>
>> Well if that type exists in your distro than its preferred that you use
>> it yes. if the httpd_user* types do not exist then you can just use
>> http_sys* types.
>>
>> There are some minor differences. One of which is that http_user* types
>> are user content, meaning users can manage and relabel it. Where
>> httpd_sys* types are system content types and users *may* not be able to
>> do all the things the would like to it
>>
>> I am not sure how that was designed on el5. But in el6 and fedora 14,
>> you should use httpd_user* types in ~ in my opinion.
>>
>> But httpd_sys* types also work for the most part. its just not optimal
>
> Ok I don't want the users being able to relabel anything. They are mostly
> students and cause enough problems as it is.
well i am not saying they can relabel everything they just relabel to
and from httpd_user* types. Could be useful. For example a student
moving a script from his home directory to his public_html/cgi-bin
directory could cause issue possibly requiring intervention if its not
httpd_user* type.
In my view a user should be able to restore context of all contents in
his home dir.
A user yes, a student no ;-)
No, most of these students are computer music or digital media students who
are basically Windows or Mac users who have minimal Linux experience.
Therefore i would not use httpd_sys* types or public_content* types
in
users home directories.
i would probably just
adduser joe
mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
~/public_html/cgi-bin
They are not "home" directories. They are actually ftp home directories in
/var/ftp/pub. Students develop their scripts on their local machine and upload
them to the server using ftp.
Thanks,
Tony
Heck you wouldnt even have to set it up yourself, since your
students
have access to both types they could just do it themselves.
> Tony
>
>>> Thanks,
>>>
>>> Tony
>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Tony
>>>>>
>>>>> It should not be necessary. public_html labeled correctly will
work.
>>>>> THe problem you are seeing is that this boolean was set causing
>>>>> suexec to not work.
1:24 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 02:21 PM, Tony Molloy wrote:
On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
> On 12/02/2010 07:58 PM, Tony Molloy wrote:
>> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
>>> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us
wrote:
>>>>>>>> Tony Molloy wrote:
>>>>>>>>> On Thursday 02 December 2010 15:56:59
m.roth(a)5-cent.us wrote:
>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm running http on a fully updated
Centos 5 system.
>>>>>>>>>>>>
>>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>>
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to run a cgi script from a
user directory.
>>>>>>>>>>
>>>>>>>>>> <MVNCH>
>>>>>>>>>>
>>>>>>>>>>> Do you have httpd_suexec_disable_trans turned
on?
>>>>>>>>>>
>>>>>>>>>> Actually, what bothers me is trying to run a .cgi
from a user's
>>>>>>>>>> directory. Can't you create a directory
->under the apache
>>>>>>>>
>>>>>>>> <Directory><- that the
>>>>>>>>
>>>>>>>>>> users can put scripts in for testing? (I assume
that once they're
>>>>>>>>>> good, they go into the real production location
for .cgi.)
>>>>>>>>>
>>>>>>>>> Not so easily done ;-)
>>>>>>>>>
>>>>>>>>> This is a University environment with several
hundred
>>>>>>>>> faculty/students wanting to use this server to
run/check
>>>>>>>>> assignments. So they have ftp
>>>>>>>>
>>>>>>>> accounts
>>>>>>>>
>>>>>>>>> where they can upload any scripts to their
public_html directory
>>>>>>>>> and run
>>>>>>>>
>>>>>>>> them
>>>>>>>>
>>>>>>>>> from there.
>>>>>>>>
>>>>>>>> I figured it was something like that. What I was thinking
was
>>>>>>>>
>>>>>>>> /var/www/html/public_cgi/<students'
directories>
>>>>>>>>
>>>>>>>> which would put them in a *legitimate* place for apache
to be happy
>>>>>>>> with, and which selinux would be happy with.
>>>>>>>>
>>>>>>>> You *might* need to add them to a group named something
like
>>>>>>>> pubcgi, and make the above group acceptable to selinux
and apache.
>>>>>>>>
>>>>>>>> mark
>>>>>>>
>>>>>>> Interesting idea. I could give it a try next semester.
>>>>>
>>>>> Not sure if suexec would work if you set it up that way
>>>>>
>>>>> I've ~/public_html/cgi-bin
>>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just
>>>>> dandy with suexec.
>>>>
>>>> I'm not clear what you are saying here.
>>>>
>>>> My SELinux contexts
>>>> -------------------
>>>>
>>>> cd /var/pub/ftp
>>>>
>>>> user directory
>>>>
>>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>>>>
>>>> cd healyp
>>>>
>>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t
>>>> public_html
>>>>
>>>> ^^^^^^
>>>>
>>>> cd public_html
>>>>
>>>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>>> cgi-bin
>>>>
>>>> ^^^
>>>>
>>>> cd cgi-bin
>>>>
>>>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>>> survey.cgi
>>>>
>>>> ^^^
>>>>
>>>> Are you suggesting that ^^^ should be user instead of sys. Would that
>>>> make a difference.
>>>
>>> Well if that type exists in your distro than its preferred that you use
>>> it yes. if the httpd_user* types do not exist then you can just use
>>> http_sys* types.
>>>
>>> There are some minor differences. One of which is that http_user* types
>>> are user content, meaning users can manage and relabel it. Where
>>> httpd_sys* types are system content types and users *may* not be able to
>>> do all the things the would like to it
>>>
>>> I am not sure how that was designed on el5. But in el6 and fedora 14,
>>> you should use httpd_user* types in ~ in my opinion.
>>>
>>> But httpd_sys* types also work for the most part. its just not optimal
>>
>> Ok I don't want the users being able to relabel anything. They are mostly
>> students and cause enough problems as it is.
>
> well i am not saying they can relabel everything they just relabel to
> and from httpd_user* types. Could be useful. For example a student
> moving a script from his home directory to his public_html/cgi-bin
> directory could cause issue possibly requiring intervention if its not
> httpd_user* type.
>
> In my view a user should be able to restore context of all contents in
> his home dir.
>
A user yes, a student no ;-)
No, most of these students are computer music or digital media students who
are basically Windows or Mac users who have minimal Linux experience.
> Therefore i would not use httpd_sys* types or public_content* types in
> users home directories.
>
> i would probably just
>
> adduser joe
> mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
> mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
> ~/public_html/cgi-bin
>
They are not "home" directories. They are actually ftp home directories in
/var/ftp/pub. Students develop their scripts on their local machine and upload
them to the server using ftp.
Thanks,
Tony
> Heck you wouldnt even have to set it up yourself, since your students
> have access to both types they could just do it themselves.
>
>> Tony
>>
>>>> Thanks,
>>>>
>>>> Tony
>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Tony
>>>>>>
>>>>>> It should not be necessary. public_html labeled correctly will
work.
>>>>>> THe problem you are seeing is that this boolean was set causing
>>>>>> suexec to not work.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
miscfiles_read_public_files(httpd_suexec_t)
Needs to be added, It is in RHEL6. I will get it into RHEL5 update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz38nkACgkQrlYvE4MpobPZOQCfTXXCgiCU6LkaslxeyEkwMa3g
ITIAoKUGTzuhJXhj/g+8n2VUSlbewyHO
=NPyK
-----END PGP SIGNATURE-----
1:34 p.m.
Tony Molloy wrote:
On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
<MVNCH>
> In my view a user should be able to restore context of all
contents in
> his home dir.
>
A user yes, a student no ;-)
No, most of these students are computer music or digital media students
who are basically Windows or Mac users who have minimal Linux experience.
Urk! You mean, threat level Dayglo Red for infection, trojan, and all
other attacks!
mark
1:41 p.m.
On Thursday 02 December 2010 19:34:01 m.roth(a)5-cent.us wrote:
Tony Molloy wrote:
> On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
<MVNCH>
>> In my view a user should be able to restore context of all contents in
>> his home dir.
>
> A user yes, a student no ;-)
>
> No, most of these students are computer music or digital media students
> who are basically Windows or Mac users who have minimal Linux experience.
Urk! You mean, threat level Dayglo Red for infection, trojan, and all
other attacks!
mark
Well most of them wouldn't really be up to anything but we do keep an extra
sharp eye on that server. One of the reasons I want to have SELinux enabled on
it.
Tony
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
1:50 p.m.
Tony Molloy wrote:
On Thursday 02 December 2010 19:34:01 m.roth(a)5-cent.us wrote:
> Tony Molloy wrote:
> > On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
> <MVNCH>
>
> >> In my view a user should be able to restore context of all contents
> >> in his home dir.
> >
> > A user yes, a student no ;-)
> >
> > No, most of these students are computer music or digital media
> > students who are basically Windows or Mac users who have minimal Linux
> > experience.
>
> Urk! You mean, threat level Dayglo Red for infection, trojan, and all
> other attacks!
Well most of them wouldn't really be up to anything but we do keep an
extra sharp eye on that server. One of the reasons I want to have SELinux
enabled on it.
It isn't that they are up to something, but they, like kids I've known
(and know) think they know what they're doing, and are carrying all sorts
of mean and nasty stuff on their thumb drives, on their own machines that
they're d/l to the linux boxen, etc.
mark
--
The *full* quote is, "A little knowledge is a dangerous thing: drink
deeply, or not at all."
2:02 p.m.
On Thursday 02 December 2010 19:50:04 m.roth(a)5-cent.us wrote:
Tony Molloy wrote:
>> > No, most of these students are computer music or digital media
>> > students who are basically Windows or Mac users who have minimal Linux
>> > experience.
>>
>> Urk! You mean, threat level Dayglo Red for infection, trojan, and all
>> other attacks!
>
> Well most of them wouldn't really be up to anything but we do keep an
> extra sharp eye on that server. One of the reasons I want to have SELinux
> enabled on it.
It isn't that they are up to something, but they, like kids I've known
(and know) think they know what they're doing, and are carrying all sorts
of mean and nasty stuff on their thumb drives, on their own machines that
they're d/l to the linux boxen, etc.
mark
--
Well in a University environment you have to put up with that. You can't very
well ban USB keys or the use of private laptops, and it wouldn't work anyway.
You just have to keep a close eye on any server students have access to and
isolate those as much as possible.
We've had a couple of major outbreakes over the years but they've always been
to Windows boxes.
Tony
The *full* quote is, "A little knowledge is a dangerous thing:
drink
deeply, or not at all."
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
2:42 p.m.
On Thursday December 2 2010 11:02:55 Tony Molloy wrote:
> It isn't that they are up to something, but they, like kids
I've known
> (and know) think they know what they're doing, and are carrying all sorts
> of mean and nasty stuff on their thumb drives, on their own machines that
> they're d/l to the linux boxen, etc.
>
> mark
>
> --
Well in a University environment you have to put up with that. You can't
very well ban USB keys or the use of private laptops, and it wouldn't work
anyway.
You just have to keep a close eye on any server students have access to and
isolate those as much as possible.
We've had a couple of major outbreakes over the years but they've always
been to Windows boxes.
Tony
Well said Tony. I am educating my college student IT department on Linux with
the future hopes of bringing Linux instruction to the classroom. There is a
serious need to balance out the excessive Microsoft education. I have been
given a server and run CentOS with SELinux enforcing. The server is being used
for the Cisco classes which require tftp. I must have SELinux or I might lose
the server to all the Microsoft cheerleaders who are eager to be the first to
kill a Linux server. And they do try (and fail). Fortunately these Microsoft
students do not understand what they think they know.
This is a good thread
Kristen
--
Are you who you say you are?
http://www.atmyhome.org/what-is-gpg-pgp.html
12:54 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 07:27 PM, Tony Molloy wrote:
On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>> Tony Molloy wrote:
>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>>
>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>
>>>>>>>> I'm trying to run a cgi script from a user
directory.
>>>>>>
>>>>>> <MVNCH>
>>>>>>
>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>
>>>>>> Actually, what bothers me is trying to run a .cgi from a
user's
>>>>>> directory. Can't you create a directory ->under the
apache
>>>>
>>>> <Directory><- that the
>>>>
>>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>>> good, they go into the real production location for .cgi.)
>>>>>
>>>>> Not so easily done ;-)
>>>>>
>>>>> This is a University environment with several hundred
faculty/students
>>>>> wanting to use this server to run/check assignments. So they have
ftp
>>>>
>>>> accounts
>>>>
>>>>> where they can upload any scripts to their public_html directory and
>>>>> run
>>>>
>>>> them
>>>>
>>>>> from there.
>>>>
>>>> I figured it was something like that. What I was thinking was
>>>>
>>>> /var/www/html/public_cgi/<students' directories>
>>>>
>>>> which would put them in a *legitimate* place for apache to be happy
>>>> with, and which selinux would be happy with.
>>>>
>>>> You *might* need to add them to a group named something like pubcgi,
>>>> and make the above group acceptable to selinux and apache.
>>>>
>>>> mark
>>>
>>> Interesting idea. I could give it a try next semester.
>
> Not sure if suexec would work if you set it up that way
>
> I've ~/public_html/cgi-bin
> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
> with suexec.
>
I'm not clear what you are saying here.
As for the suexec comment: i am not sure if seuxec works if you do not
have the userdirs in /home/*/public_html.
so suexec might not work if you let your users use:
/var/www/html/public_cgi/<students'
My SELinux contexts
-------------------
cd /var/pub/ftp
user directory
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
cd healyp
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
^^^^^^
cd public_html
drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
^^^
cd cgi-bin
-rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
^^^
Are you suggesting that ^^^ should be user instead of sys. Would that make a
difference.
Thanks,
Tony
>>> Thanks,
>>>
>>> Tony
>>
>> It should not be necessary. public_html labeled correctly will work.
>> THe problem you are seeing is that this boolean was set causing suexec
>> to not work.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz361AACgkQMlxVo39jgT+C/QCgn76BDVIS4kisR/jTLKGr2EPR
dZkAn3EgO5TDb+6CMGjPka/FZPaqSMB7
=eOdW
-----END PGP SIGNATURE-----
1:05 p.m.
On Thursday 02 December 2010 18:54:08 Dominick Grift wrote:
On 12/02/2010 07:27 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>>> Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I'm running http on a fully updated Centos 5
system.
>>>>>>>>>
>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>
>>>>>>>>> I'm trying to run a cgi script from a user
directory.
>>>>>>>
>>>>>>> <MVNCH>
>>>>>>>
>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>
>>>>>>> Actually, what bothers me is trying to run a .cgi from a
user's
>>>>>>> directory. Can't you create a directory ->under the
apache
>>>>>
>>>>> <Directory><- that the
>>>>>
>>>>>>> users can put scripts in for testing? (I assume that once
they're
>>>>>>> good, they go into the real production location for .cgi.)
>>>>>>
>>>>>> Not so easily done ;-)
>>>>>>
>>>>>> This is a University environment with several hundred
>>>>>> faculty/students wanting to use this server to run/check
>>>>>> assignments. So they have ftp
>>>>>
>>>>> accounts
>>>>>
>>>>>> where they can upload any scripts to their public_html directory
and
>>>>>> run
>>>>>
>>>>> them
>>>>>
>>>>>> from there.
>>>>>
>>>>> I figured it was something like that. What I was thinking was
>>>>>
>>>>> /var/www/html/public_cgi/<students' directories>
>>>>>
>>>>> which would put them in a *legitimate* place for apache to be happy
>>>>> with, and which selinux would be happy with.
>>>>>
>>>>> You *might* need to add them to a group named something like
pubcgi,
>>>>> and make the above group acceptable to selinux and apache.
>>>>>
>>>>> mark
>>>>
>>>> Interesting idea. I could give it a try next semester.
>>
>> Not sure if suexec would work if you set it up that way
>>
>> I've ~/public_html/cgi-bin
>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
>> with suexec.
>
> I'm not clear what you are saying here.
As for the suexec comment: i am not sure if seuxec works if you do not
have the userdirs in /home/*/public_html.
so suexec might not work if you let your users use:
/var/www/html/public_cgi/<students'
Ok that would make sense if suexec only works in /home/*/public_html
My scripts are in /var/ftp/pub/*/public_html
Users have access to the server through ftp only.
Tony
> My SELinux contexts
> -------------------
>
> cd /var/pub/ftp
>
> user directory
>
> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>
> cd healyp
>
> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
>
> ^^^^^^
>
> cd public_html
>
> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
>
> ^^^
>
> cd cgi-bin
>
> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
> survey.cgi
>
> ^^^
>
> Are you suggesting that ^^^ should be user instead of sys. Would that
> make a difference.
>
> Thanks,
>
> Tony
>
>>>> Thanks,
>>>>
>>>> Tony
>>>
>>> It should not be necessary. public_html labeled correctly will work.
>>> THe problem you are seeing is that this boolean was set causing suexec
>>> to not work.
12:10 p.m.
Daniel J Walsh wrote:
On 12/02/2010 12:44 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>> Tony Molloy wrote:
>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>
>>>>>> I'm running http on a fully updated Centos 5 system.
<snip>
>>>>>> I'm trying to run a cgi script from a
user directory.
>>>>
>>>> <MVNCH>
>>>>
>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>
>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>> directory. Can't you create a directory ->under the apache
>>
>> <Directory><- that the
>>
>>>> users can put scripts in for testing? (I assume that once they're
>>>> good, they go into the real production location for .cgi.)
>>>
>>> Not so easily done ;-)
>>>
>>> This is a University environment with several hundred faculty/students
>>> wanting to use this server to run/check assignments. So they have ftp
>>> accounts where they can upload any scripts to their public_html
directory and
>>> run them from there.
>>
>> I figured it was something like that. What I was thinking was
>>
>> /var/www/html/public_cgi/<students' directories>
>> which would put them in a *legitimate* place for apache to be happy
>> with, and which selinux would be happy with.
>>
>> You *might* need to add them to a group named something like pubcgi,
>> and make the above group acceptable to selinux and apache.
>>
> Interesting idea. I could give it a try next semester.
It should not be necessary. public_html labeled correctly will work.
THe problem you are seeing is that this boolean was set causing suexec
to not work.
You mean the group, Dan? I was thinking in terms of apache looking at
ownership of files. Glad to know that the ownership, once it's in the
correct place, isn't an selinux problem.
mark
12:53 p.m.
On Thursday 02 December 2010 17:47:04 Daniel J Walsh wrote:
On 12/02/2010 12:44 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>> Tony Molloy wrote:
>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>
>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>
>>>>>> I'm trying to run a cgi script from a user directory.
>>>>
>>>> <MVNCH>
>>>>
>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>
>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>> directory. Can't you create a directory ->under the apache
>>
>> <Directory><- that the
>>
>>>> users can put scripts in for testing? (I assume that once they're
>>>> good, they go into the real production location for .cgi.)
>>>
>>> Not so easily done ;-)
>>>
>>> This is a University environment with several hundred faculty/students
>>> wanting to use this server to run/check assignments. So they have ftp
>>
>> accounts
>>
>>> where they can upload any scripts to their public_html directory and
>>> run
>>
>> them
>>
>>> from there.
>>
>> I figured it was something like that. What I was thinking was
>>
>> /var/www/html/public_cgi/<students' directories>
>>
>> which would put them in a *legitimate* place for apache to be happy
>> with, and which selinux would be happy with.
>>
>> You *might* need to add them to a group named something like pubcgi, and
>> make the above group acceptable to selinux and apache.
>>
>> mark
>
> Interesting idea. I could give it a try next semester.
>
> Thanks,
>
> Tony
It should not be necessary. public_html labeled correctly will work.
THe problem you are seeing is that this boolean was set causing suexec
to not work.
Ok I spoke too soon.
Current situation:
httpd booleans
--------------
[root@garryowen ~]# getsebool -a | grep http
allow_httpd_anon_write --> on
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
SELinux contexts
----------------
cd /var/pub/ftp
user directory
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
cd healyp
drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html
^^^^^^
cd public_html
drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
^^^
cd cgi-bin
-rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
^^^
Do these look correct.
Now when I switch SElinux to enforcing it doesn't work, when I switch it to
permissive I get a different AVC.
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by suexec. It is not expected that this access
is required by suexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./ftp,
restorecon -v './ftp'
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this access -
see FAQ Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this package.
Raw Audit Messages :
host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied {
search } for pid=8199 comm="suexec" name="ftp" dev=sda5 ino=65537
scontext=system_u:system_r:httpd_suexec_t:s0
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied {
search } for pid=8199 comm="suexec" name="healyp" dev=sda10
ino=9638241
scontext=system_u:system_r:httpd_suexec_t:s0
tcontext=root:object_r:public_content_rw_t:s0 tclass=dir
host=garryowen.x.y.z type=SYSCALL msg=audit(1291315633.784:98283):
arch=c000003e syscall=80 success=yes exit=0 a0=2b86038ddde0 a1=1000 a2=0 a3=0
items=0 ppid=789 pid=8199 auid=4294967295 uid=734 gid=803 euid=734 suid=734
fsuid=734 egid=803 sgid=803 fsgid=803 tty=(none) ses=4294967295 comm="suexec"
exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_suexec_t:s0 key=(null)
Now I can generate a local policy to allow access.
Thanks,
Tony
4903
days inactive
4904
days old
selinux@lists.fedoraproject.org
22 comments
5 participants
participants (5)
-
Daniel J Walsh -
Dominick Grift -
Kristen R -
mark -
Tony Molloy