http AVC

Dominick Grift domg472 at gmail.com
Thu Dec 2 18:49:34 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2010 07:27 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
>>>>> Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>>>
>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>
>>>>>>>>> I'm trying to run a cgi script from a user directory.
>>>>>>>
>>>>>>> <MVNCH>
>>>>>>>
>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>
>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>>>>> directory. Can't you create a directory ->under the apache
>>>>>
>>>>> <Directory><- that the
>>>>>
>>>>>>> users can put scripts in for testing? (I assume that once they're
>>>>>>> good, they go into the real production location for .cgi.)
>>>>>>
>>>>>> Not so easily done ;-)
>>>>>>
>>>>>> This is a University environment with several hundred faculty/students
>>>>>> wanting to use this server to run/check assignments. So they have ftp
>>>>>
>>>>> accounts
>>>>>
>>>>>> where they can upload any scripts to their public_html directory and
>>>>>> run
>>>>>
>>>>> them
>>>>>
>>>>>> from there.
>>>>>
>>>>> I figured it was something like that. What I was thinking was
>>>>>
>>>>>    /var/www/html/public_cgi/<students' directories>
>>>>>
>>>>> which would put them in a *legitimate* place for apache to be happy
>>>>> with, and which selinux would be happy with.
>>>>>
>>>>> You *might* need to add them to a group named something like pubcgi,
>>>>> and make the above group acceptable to selinux and apache.
>>>>>
>>>>>      mark
>>>>
>>>> Interesting idea. I could give it a try next semester.
>>
>> Not sure if suexec would work if you set it up that way
>>
>> I've ~/public_html/cgi-bin
>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
>> with suexec.
>>
> 
> I'm not clear what you are saying here.
> 
> My SELinux contexts
> -------------------
> 
> cd /var/pub/ftp
> 
> user directory
> 
> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t healyp
> 
> cd healyp
> 
> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t public_html
>                                           ^^^^^^
> cd public_html
> 
> drwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
>                                                 ^^^
> cd cgi-bin
> 
> -rwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
>                                                 ^^^
> 
> 
> Are you suggesting that ^^^ should be user instead of sys. Would that make a 
> difference.

Well if that type exists in your distro than its preferred that you use
it yes. if the httpd_user* types do not exist then you can just use
http_sys* types.

There are some minor differences. One of which is that http_user* types
are user content, meaning users can manage and relabel it. Where
httpd_sys* types are system content types and users *may* not be able to
do all the things the would like to it

I am not sure how that was designed on el5. But in el6 and fedora 14,
you should use httpd_user* types in ~ in my opinion.

But httpd_sys* types also work for the most part. its just not optimal
> Thanks,
> 
> Tony
>>>> Thanks,
>>>>
>>>> Tony
>>>
>>> It should not be necessary.  public_html labeled correctly will work.
>>> THe problem you are seeing is that this boolean was set causing suexec
>>> to not work.
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz36j4ACgkQMlxVo39jgT8XRwCgoP3iAeiApYNjPgYaeVCl5lgQ
nn4An2Iyuhz7mXFPoHo9aQU4h5/Zal99
=gFag
-----END PGP SIGNATURE-----

More information about the selinux mailing list