http AVC
Tony Molloy
tony.molloy at ul.ie
Thu Dec 2 19:21:35 UTC 2010
On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
> On 12/02/2010 07:58 PM, Tony Molloy wrote:
> > On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
> >> On 12/02/2010 07:27 PM, Tony Molloy wrote:
> >>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
> >>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
> >>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
> >>>>>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
> >>>>>>> Tony Molloy wrote:
> >>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
> >>>>>>>>> Daniel J Walsh wrote:
> >>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
> >>>>>>>>>>> Hi,
> >>>>>>>>>>>
> >>>>>>>>>>> I'm running http on a fully updated Centos 5 system.
> >>>>>>>>>>>
> >>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
> >>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
> >>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
> >>>>>>>>>>>
> >>>>>>>>>>> I'm trying to run a cgi script from a user directory.
> >>>>>>>>>
> >>>>>>>>> <MVNCH>
> >>>>>>>>>
> >>>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
> >>>>>>>>>
> >>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's
> >>>>>>>>> directory. Can't you create a directory ->under the apache
> >>>>>>>
> >>>>>>> <Directory><- that the
> >>>>>>>
> >>>>>>>>> users can put scripts in for testing? (I assume that once they're
> >>>>>>>>> good, they go into the real production location for .cgi.)
> >>>>>>>>
> >>>>>>>> Not so easily done ;-)
> >>>>>>>>
> >>>>>>>> This is a University environment with several hundred
> >>>>>>>> faculty/students wanting to use this server to run/check
> >>>>>>>> assignments. So they have ftp
> >>>>>>>
> >>>>>>> accounts
> >>>>>>>
> >>>>>>>> where they can upload any scripts to their public_html directory
> >>>>>>>> and run
> >>>>>>>
> >>>>>>> them
> >>>>>>>
> >>>>>>>> from there.
> >>>>>>>
> >>>>>>> I figured it was something like that. What I was thinking was
> >>>>>>>
> >>>>>>> /var/www/html/public_cgi/<students' directories>
> >>>>>>>
> >>>>>>> which would put them in a *legitimate* place for apache to be happy
> >>>>>>> with, and which selinux would be happy with.
> >>>>>>>
> >>>>>>> You *might* need to add them to a group named something like
> >>>>>>> pubcgi, and make the above group acceptable to selinux and apache.
> >>>>>>>
> >>>>>>> mark
> >>>>>>
> >>>>>> Interesting idea. I could give it a try next semester.
> >>>>
> >>>> Not sure if suexec would work if you set it up that way
> >>>>
> >>>> I've ~/public_html/cgi-bin
> >>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just
> >>>> dandy with suexec.
> >>>
> >>> I'm not clear what you are saying here.
> >>>
> >>> My SELinux contexts
> >>> -------------------
> >>>
> >>> cd /var/pub/ftp
> >>>
> >>> user directory
> >>>
> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
> >>>
> >>> cd healyp
> >>>
> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t
> >>> public_html
> >>>
> >>> ^^^^^^
> >>>
> >>> cd public_html
> >>>
> >>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
> >>> cgi-bin
> >>>
> >>> ^^^
> >>>
> >>> cd cgi-bin
> >>>
> >>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
> >>> survey.cgi
> >>>
> >>> ^^^
> >>>
> >>> Are you suggesting that ^^^ should be user instead of sys. Would that
> >>> make a difference.
> >>
> >> Well if that type exists in your distro than its preferred that you use
> >> it yes. if the httpd_user* types do not exist then you can just use
> >> http_sys* types.
> >>
> >> There are some minor differences. One of which is that http_user* types
> >> are user content, meaning users can manage and relabel it. Where
> >> httpd_sys* types are system content types and users *may* not be able to
> >> do all the things the would like to it
> >>
> >> I am not sure how that was designed on el5. But in el6 and fedora 14,
> >> you should use httpd_user* types in ~ in my opinion.
> >>
> >> But httpd_sys* types also work for the most part. its just not optimal
> >
> > Ok I don't want the users being able to relabel anything. They are mostly
> > students and cause enough problems as it is.
>
> well i am not saying they can relabel everything they just relabel to
> and from httpd_user* types. Could be useful. For example a student
> moving a script from his home directory to his public_html/cgi-bin
> directory could cause issue possibly requiring intervention if its not
> httpd_user* type.
>
> In my view a user should be able to restore context of all contents in
> his home dir.
>
A user yes, a student no ;-)
No, most of these students are computer music or digital media students who
are basically Windows or Mac users who have minimal Linux experience.
> Therefore i would not use httpd_sys* types or public_content* types in
> users home directories.
>
> i would probably just
>
> adduser joe
> mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
> mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
> ~/public_html/cgi-bin
>
They are not "home" directories. They are actually ftp home directories in
/var/ftp/pub. Students develop their scripts on their local machine and upload
them to the server using ftp.
Thanks,
Tony
> Heck you wouldnt even have to set it up yourself, since your students
> have access to both types they could just do it themselves.
>
> > Tony
> >
> >>> Thanks,
> >>>
> >>> Tony
> >>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Tony
> >>>>>
> >>>>> It should not be necessary. public_html labeled correctly will work.
> >>>>> THe problem you are seeing is that this boolean was set causing
> >>>>> suexec to not work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101202/eccee6c4/attachment-0001.html
More information about the selinux
mailing list