CGI Script permissions
Jochen Wiedmann
jochen.wiedmann at gmail.com
Fri May 26 08:46:24 UTC 2006
Paul Howarth wrote:
> The simplest fix might be to change the file context of this particular
> CGI script to httpd_unconfined_script_exec_t instead of
> httpd_sys_script_t. That would effectively turn off SELinux protection
> for that particular script.
> The alternative approach of using audit2allow to create a local policy
> to allow these capabilities would turn on these capabilities for *all*
> of your CGI scripts, which IMHO would be worse than turning off
> protection for just that one script (particularly if that script was
> well-audited for security issues).
> Ideally it would be easy to create a subclass of CGI scripts and assign
> special capabilities to those (I have a similar issue with FastCGI
> scripts that need slightly more capabilities than regular CGI scripts),
> but that's beyond me at this moment.
As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
More information about the selinux
mailing list