http AVC

Daniel J Walsh dwalsh at redhat.com
Thu Dec 2 19:24:41 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2010 02:21 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
>> On 12/02/2010 07:58 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
>>>> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>>>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>>>>> On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
>>>>>>>>> Tony Molloy wrote:
>>>>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
>>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm running http on a fully updated Centos 5 system.
>>>>>>>>>>>>>
>>>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm trying to run a cgi script from a user directory.
>>>>>>>>>>>
>>>>>>>>>>> <MVNCH>
>>>>>>>>>>>
>>>>>>>>>>>> Do you have httpd_suexec_disable_trans turned on?
>>>>>>>>>>>
>>>>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's
>>>>>>>>>>> directory. Can't you create a directory ->under the apache
>>>>>>>>>
>>>>>>>>> <Directory><- that the
>>>>>>>>>
>>>>>>>>>>> users can put scripts in for testing? (I assume that once they're
>>>>>>>>>>> good, they go into the real production location for .cgi.)
>>>>>>>>>>
>>>>>>>>>> Not so easily done ;-)
>>>>>>>>>>
>>>>>>>>>> This is a University environment with several hundred
>>>>>>>>>> faculty/students wanting to use this server to run/check
>>>>>>>>>> assignments. So they have ftp
>>>>>>>>>
>>>>>>>>> accounts
>>>>>>>>>
>>>>>>>>>> where they can upload any scripts to their public_html directory
>>>>>>>>>> and run
>>>>>>>>>
>>>>>>>>> them
>>>>>>>>>
>>>>>>>>>> from there.
>>>>>>>>>
>>>>>>>>> I figured it was something like that. What I was thinking was
>>>>>>>>>
>>>>>>>>>    /var/www/html/public_cgi/<students' directories>
>>>>>>>>>
>>>>>>>>> which would put them in a *legitimate* place for apache to be happy
>>>>>>>>> with, and which selinux would be happy with.
>>>>>>>>>
>>>>>>>>> You *might* need to add them to a group named something like
>>>>>>>>> pubcgi, and make the above group acceptable to selinux and apache.
>>>>>>>>>
>>>>>>>>>      mark
>>>>>>>>
>>>>>>>> Interesting idea. I could give it a try next semester.
>>>>>>
>>>>>> Not sure if suexec would work if you set it up that way
>>>>>>
>>>>>> I've ~/public_html/cgi-bin
>>>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just
>>>>>> dandy with suexec.
>>>>>
>>>>> I'm not clear what you are saying here.
>>>>>
>>>>> My SELinux contexts
>>>>> -------------------
>>>>>
>>>>> cd /var/pub/ftp
>>>>>
>>>>> user directory
>>>>>
>>>>> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t healyp
>>>>>
>>>>> cd healyp
>>>>>
>>>>> drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t
>>>>> public_html
>>>>>
>>>>>                                           ^^^^^^
>>>>>
>>>>> cd public_html
>>>>>
>>>>> drwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t
>>>>> cgi-bin
>>>>>
>>>>>                                                 ^^^
>>>>>
>>>>> cd cgi-bin
>>>>>
>>>>> -rwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t
>>>>> survey.cgi
>>>>>
>>>>>                                                 ^^^
>>>>>
>>>>> Are you suggesting that ^^^ should be user instead of sys. Would that
>>>>> make a difference.
>>>>
>>>> Well if that type exists in your distro than its preferred that you use
>>>> it yes. if the httpd_user* types do not exist then you can just use
>>>> http_sys* types.
>>>>
>>>> There are some minor differences. One of which is that http_user* types
>>>> are user content, meaning users can manage and relabel it. Where
>>>> httpd_sys* types are system content types and users *may* not be able to
>>>> do all the things the would like to it
>>>>
>>>> I am not sure how that was designed on el5. But in el6 and fedora 14,
>>>> you should use httpd_user* types in ~ in my opinion.
>>>>
>>>> But httpd_sys* types also work for the most part. its just not optimal
>>>
>>> Ok I don't want the users being able to relabel anything. They are mostly
>>> students and cause enough problems as it is.
>>
>> well i am not saying they can relabel everything they just relabel to
>> and from httpd_user* types. Could be useful. For example a student
>> moving a script from his home directory to his public_html/cgi-bin
>> directory could cause issue possibly requiring intervention if its not
>> httpd_user* type.
>>
>> In my view a user should be able to restore context of all contents in
>> his home dir.
>>
> 
> A user yes, a student no ;-)
> 
> No, most of these students are computer music or digital media students who 
> are basically Windows or Mac users who have minimal Linux experience.
> 
>> Therefore i would not use httpd_sys* types or public_content* types in
>> users home directories.
>>
>> i would probably just
>>
>> adduser joe
>> mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
>> mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
>> ~/public_html/cgi-bin
>>
> 
> They are not "home" directories. They are actually ftp home directories in 
> /var/ftp/pub. Students develop their scripts on their local machine and upload 
> them to the server using ftp.
> 
> Thanks,
> 
> Tony
> 
>> Heck you wouldnt even have to set it up yourself, since your students
>> have access to both types they could just do it themselves.
>>
>>> Tony
>>>
>>>>> Thanks,
>>>>>
>>>>> Tony
>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Tony
>>>>>>>
>>>>>>> It should not be necessary.  public_html labeled correctly will work.
>>>>>>> THe problem you are seeing is that this boolean was set causing
>>>>>>> suexec to not work.
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

miscfiles_read_public_files(httpd_suexec_t)

Needs to be added, It is in RHEL6. I will get it into RHEL5 update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz38nkACgkQrlYvE4MpobPZOQCfTXXCgiCU6LkaslxeyEkwMa3g
ITIAoKUGTzuhJXhj/g+8n2VUSlbewyHO
=NPyK
-----END PGP SIGNATURE-----


More information about the selinux mailing list