http AVC
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 2 17:47:04 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 12:44 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
>> Tony Molloy wrote:
>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>
>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>
>>>>>> I'm trying to run a cgi script from a user directory.
>>>>
>>>> <MVNCH>
>>>>
>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>
>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>> directory. Can't you create a directory ->under the apache
>>
>> <Directory><- that the
>>
>>>> users can put scripts in for testing? (I assume that once they're good,
>>>> they go into the real production location for .cgi.)
>>>
>>> Not so easily done ;-)
>>>
>>> This is a University environment with several hundred faculty/students
>>> wanting to use this server to run/check assignments. So they have ftp
>>
>> accounts
>>
>>> where they can upload any scripts to their public_html directory and run
>>
>> them
>>
>>> from there.
>>
>> I figured it was something like that. What I was thinking was
>>
>> /var/www/html/public_cgi/<students' directories>
>> which would put them in a *legitimate* place for apache to be happy with,
>> and which selinux would be happy with.
>>
>> You *might* need to add them to a group named something like pubcgi, and
>> make the above group acceptable to selinux and apache.
>>
>> mark
>
> Interesting idea. I could give it a try next semester.
>
> Thanks,
>
> Tony
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
It should not be necessary. public_html labeled correctly will work.
THe problem you are seeing is that this boolean was set causing suexec
to not work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz325gACgkQrlYvE4MpobOOLACeJYTbcor9wJPcrl+RrgdQIJAU
awIAoLvCrmAv13LkxKFFBHguGBRb76PE
=NYWQ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list