http AVC

Dominick Grift domg472 at gmail.com
Thu Dec 2 19:07:33 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2010 07:58 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
>> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
>>>>>>> Tony Molloy wrote:
>>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>>>>>
>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to run a cgi script from a user directory.
>>>>>>>>>
>>>>>>>>> <MVNCH>
>>>>>>>>>
>>>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>>>
>>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>>>>>>> directory. Can't you create a directory ->under the apache
>>>>>>>
>>>>>>> <Directory><- that the
>>>>>>>
>>>>>>>>> users can put scripts in for testing? (I assume that once they're
>>>>>>>>> good, they go into the real production location for .cgi.)
>>>>>>>>
>>>>>>>> Not so easily done ;-)
>>>>>>>>
>>>>>>>> This is a University environment with several hundred
>>>>>>>> faculty/students wanting to use this server to run/check
>>>>>>>> assignments. So they have ftp
>>>>>>>
>>>>>>> accounts
>>>>>>>
>>>>>>>> where they can upload any scripts to their public_html directory and
>>>>>>>> run
>>>>>>>
>>>>>>> them
>>>>>>>
>>>>>>>> from there.
>>>>>>>
>>>>>>> I figured it was something like that. What I was thinking was
>>>>>>>
>>>>>>>    /var/www/html/public_cgi/<students' directories>
>>>>>>>
>>>>>>> which would put them in a *legitimate* place for apache to be happy
>>>>>>> with, and which selinux would be happy with.
>>>>>>>
>>>>>>> You *might* need to add them to a group named something like pubcgi,
>>>>>>> and make the above group acceptable to selinux and apache.
>>>>>>>
>>>>>>>      mark
>>>>>>
>>>>>> Interesting idea. I could give it a try next semester.
>>>>
>>>> Not sure if suexec would work if you set it up that way
>>>>
>>>> I've ~/public_html/cgi-bin
>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy
>>>> with suexec.
>>>
>>> I'm not clear what you are saying here.
>>>
>>> My SELinux contexts
>>> -------------------
>>>
>>> cd /var/pub/ftp
>>>
>>> user directory
>>>
>>> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t healyp
>>>
>>> cd healyp
>>>
>>> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t public_html
>>>
>>>                                           ^^^^^^
>>>
>>> cd public_html
>>>
>>> drwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
>>>
>>>                                                 ^^^
>>>
>>> cd cgi-bin
>>>
>>> -rwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t
>>> survey.cgi
>>>
>>>                                                 ^^^
>>>
>>> Are you suggesting that ^^^ should be user instead of sys. Would that
>>> make a difference.
>>
>> Well if that type exists in your distro than its preferred that you use
>> it yes. if the httpd_user* types do not exist then you can just use
>> http_sys* types.
>>
>> There are some minor differences. One of which is that http_user* types
>> are user content, meaning users can manage and relabel it. Where
>> httpd_sys* types are system content types and users *may* not be able to
>> do all the things the would like to it
>>
>> I am not sure how that was designed on el5. But in el6 and fedora 14,
>> you should use httpd_user* types in ~ in my opinion.
>>
>> But httpd_sys* types also work for the most part. its just not optimal
>>
> 
> Ok I don't want the users being able to relabel anything. They are mostly 
> students and cause enough problems as it is.

well i am not saying they can relabel everything they just relabel to
and from httpd_user* types. Could be useful. For example a student
moving a script from his home directory to his public_html/cgi-bin
directory could cause issue possibly requiring intervention if its not
httpd_user* type.

In my view a user should be able to restore context of all contents in
his home dir.

Therefore i would not use httpd_sys* types or public_content* types in
users home directories.

i would probably just

adduser joe
mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
~/public_html/cgi-bin

Heck you wouldnt even have to set it up yourself, since your students
have access to both types they could just do it themselves.



> 
> Tony
> 
>>> Thanks,
>>>
>>> Tony
>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Tony
>>>>>
>>>>> It should not be necessary.  public_html labeled correctly will work.
>>>>> THe problem you are seeing is that this boolean was set causing suexec
>>>>> to not work.
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz37nQACgkQMlxVo39jgT8LSQCgpXKgfSC7MG+4jXXBbeNy4+z6
HvwAoI4q8fYYEYlayepfQL6WJpphsIBW
=/Nye
-----END PGP SIGNATURE-----

More information about the selinux mailing list