CGI can't read public_html files

Alex Slesarev alex.slesarev at gmail.com
Sat Dec 1 01:29:31 UTC 2007 

Hello!

I want to access public_html files from CGI script, but can't do it -
got AVC error during reading README file from public_html dir:

-----------------------------------------------------------------------
[root at elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1

Nov 29 13:42:51 elc6002s setroubleshoot: #012    SELinux is preventing
the format.cgi from using potentially mislabeled files <Unknown>
(unconfined_home_dir_t).#012     For complete SELinux messages. run
sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
-----------------------------------------------------------------------

I have only one item with unconfined_home_dir_t type in the path to
README file:

-----------------------------------------------------------------------
[nuald at elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
/dev/null

-rw-rw-r--  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/README
drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
-----------------------------------------------------------------------

So, only my home dir have unconfined_home_dir_t type. But I do not want
to change it to httpd_sys_content_t type and I don't like this solution.

The CGI script itself works fine either it have httpd_user_content_t
type now:

-----------------------------------------------------------------------
[nuald at elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
/dev/null

-rwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin/format.cgi
drwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin
drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
-----------------------------------------------------------------------

So the script only can't read files in public_html folder. What is right
way to fix it?

The script itself is below and used as
http://localhost/~nuald/cgi-bin/format.cgi?file=README
<http://localhost/%7Enuald/cgi-bin/format.cgi?file=README>
-----------------------------------------------------------------------
[nuald at elc6002s cgi-bin]$ cat format.cgi

#!/usr/bin/perl -wT

use strict;
use CGI qw/:standard/;
use IO::File;
use File::Spec;
use Cwd 'realpath';

print header;
my $filename = param('file') or die "Can be executed only as CGI";
my $updir = File::Spec->updir();
my $rel_path = File::Spec->catfile($updir, $filename);
my $path = realpath($rel_path) ;
my $file = IO::File->new($path,"<") or die "Can't open file $path";
my $text = join "", <$file>;
$file->close or die "Can't close file";

print $text;
-----------------------------------------------------------------------

Thanks in advance.

-- 
Best regards, Alex Slesarev.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20071201/3cb5f0f0/attachment.html

More information about the selinux mailing list