CGI Script permissions

Daniel J Walsh dwalsh at redhat.com
Fri May 26 10:27:25 UTC 2006 

Jochen Wiedmann wrote:
> Paul Howarth wrote:
>
>   
>> The simplest fix might be to change the file context of this particular
>> CGI script to httpd_unconfined_script_exec_t instead of
>> httpd_sys_script_t. That would effectively turn off SELinux protection
>> for that particular script.
>>     
>
>   
>> The alternative approach of using audit2allow to create a local policy
>> to allow these capabilities would turn on these capabilities for *all*
>> of your CGI scripts, which IMHO would be worse than turning off
>> protection for just that one script (particularly if that script was
>> well-audited for security issues).
>>     
>
>   
>> Ideally it would be easy to create a subclass of CGI scripts and assign
>> special capabilities to those (I have a similar issue with FastCGI
>> scripts that need slightly more capabilities than regular CGI scripts),
>> but that's beyond me at this moment.
>>     
>
> As the script in question can indeed be called well-audited (basically, it
> just allows to trigger a certain action by calling another script with
> fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
> That did the trick neatly.
>
> Thanks very much,
>
> Jochen
>   

Another alternative might be to write your own module

Create three files

# cat  >> myapache.te  << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF

echo > myapache.if

# cat  >> myapache.te  << _EOF
/var/www/cgi-bin/myapache_script            --    
gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF

Then build a policy module.

make -f /usr/share/selinux/devel/Makefile

semodule -i myapache.pp

restorecon -F -v /var/www/cgi-bin/myapache_script

Then try it out.  

Of course you might need additional rules.



>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the selinux mailing list