http AVC

Tony Molloy tony.molloy at ul.ie
Thu Dec 2 18:58:20 UTC 2010 

On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
> On 12/02/2010 07:27 PM, Tony Molloy wrote:
> > On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
> >> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
> >>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
> >>>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
> >>>>> Tony Molloy wrote:
> >>>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
> >>>>>>> Daniel J Walsh wrote:
> >>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
> >>>>>>>>> Hi,
> >>>>>>>>> 
> >>>>>>>>> I'm running http on a fully updated Centos 5 system.
> >>>>>>>>> 
> >>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
> >>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
> >>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
> >>>>>>>>> 
> >>>>>>>>> I'm trying to run a cgi script from a user directory.
> >>>>>>> 
> >>>>>>> <MVNCH>
> >>>>>>> 
> >>>>>>>> Do you have httpd_suexec_disable_trans turned on?
> >>>>>>> 
> >>>>>>> Actually, what bothers me is trying to run a .cgi from a user's
> >>>>>>> directory. Can't you create a directory ->under the apache
> >>>>> 
> >>>>> <Directory><- that the
> >>>>> 
> >>>>>>> users can put scripts in for testing? (I assume that once they're
> >>>>>>> good, they go into the real production location for .cgi.)
> >>>>>> 
> >>>>>> Not so easily done ;-)
> >>>>>> 
> >>>>>> This is a University environment with several hundred
> >>>>>> faculty/students wanting to use this server to run/check
> >>>>>> assignments. So they have ftp
> >>>>> 
> >>>>> accounts
> >>>>> 
> >>>>>> where they can upload any scripts to their public_html directory and
> >>>>>> run
> >>>>> 
> >>>>> them
> >>>>> 
> >>>>>> from there.
> >>>>> 
> >>>>> I figured it was something like that. What I was thinking was
> >>>>> 
> >>>>>    /var/www/html/public_cgi/<students' directories>
> >>>>> 
> >>>>> which would put them in a *legitimate* place for apache to be happy
> >>>>> with, and which selinux would be happy with.
> >>>>> 
> >>>>> You *might* need to add them to a group named something like pubcgi,
> >>>>> and make the above group acceptable to selinux and apache.
> >>>>> 
> >>>>>      mark
> >>>> 
> >>>> Interesting idea. I could give it a try next semester.
> >> 
> >> Not sure if suexec would work if you set it up that way
> >> 
> >> I've ~/public_html/cgi-bin
> >> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
> >> with suexec.
> > 
> > I'm not clear what you are saying here.
> > 
> > My SELinux contexts
> > -------------------
> > 
> > cd /var/pub/ftp
> > 
> > user directory
> > 
> > drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t healyp
> > 
> > cd healyp
> > 
> > drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t public_html
> > 
> >                                           ^^^^^^
> > 
> > cd public_html
> > 
> > drwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
> > 
> >                                                 ^^^
> > 
> > cd cgi-bin
> > 
> > -rwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t
> > survey.cgi
> > 
> >                                                 ^^^
> > 
> > Are you suggesting that ^^^ should be user instead of sys. Would that
> > make a difference.
> 
> Well if that type exists in your distro than its preferred that you use
> it yes. if the httpd_user* types do not exist then you can just use
> http_sys* types.
> 
> There are some minor differences. One of which is that http_user* types
> are user content, meaning users can manage and relabel it. Where
> httpd_sys* types are system content types and users *may* not be able to
> do all the things the would like to it
> 
> I am not sure how that was designed on el5. But in el6 and fedora 14,
> you should use httpd_user* types in ~ in my opinion.
> 
> But httpd_sys* types also work for the most part. its just not optimal
> 

Ok I don't want the users being able to relabel anything. They are mostly 
students and cause enough problems as it is.

Tony

> > Thanks,
> > 
> > Tony
> > 
> >>>> Thanks,
> >>>> 
> >>>> Tony
> >>> 
> >>> It should not be necessary.  public_html labeled correctly will work.
> >>> THe problem you are seeing is that this boolean was set causing suexec
> >>> to not work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101202/26a55ef9/attachment-0001.html

More information about the selinux mailing list