http AVC
Dominick Grift
domg472 at gmail.com
Thu Dec 2 18:10:22 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
>>> Tony Molloy wrote:
>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>
>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>
>>>>>>> I'm trying to run a cgi script from a user directory.
>>>>>
>>>>> <MVNCH>
>>>>>
>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>
>>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>>> directory. Can't you create a directory ->under the apache
>>>
>>> <Directory><- that the
>>>
>>>>> users can put scripts in for testing? (I assume that once they're good,
>>>>> they go into the real production location for .cgi.)
>>>>
>>>> Not so easily done ;-)
>>>>
>>>> This is a University environment with several hundred faculty/students
>>>> wanting to use this server to run/check assignments. So they have ftp
>>>
>>> accounts
>>>
>>>> where they can upload any scripts to their public_html directory and run
>>>
>>> them
>>>
>>>> from there.
>>>
>>> I figured it was something like that. What I was thinking was
>>>
>>> /var/www/html/public_cgi/<students' directories>
>>> which would put them in a *legitimate* place for apache to be happy with,
>>> and which selinux would be happy with.
>>>
>>> You *might* need to add them to a group named something like pubcgi, and
>>> make the above group acceptable to selinux and apache.
>>>
>>> mark
>
>> Interesting idea. I could give it a try next semester.
Not sure if suexec would work if you set it up that way
I've ~/public_html/cgi-bin
~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
with suexec.
>
>> Thanks,
>
>> Tony
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> It should not be necessary. public_html labeled correctly will work.
> THe problem you are seeing is that this boolean was set causing suexec
> to not work.
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz34Q0ACgkQMlxVo39jgT9yFwCfTep/Aw2nQEb6A7HFQN10C6k+
r+4AoJVM/nc2qA+JTgLoaiOxEV1oDq5Q
=W8LY
-----END PGP SIGNATURE-----
More information about the selinux
mailing list