Apache CGI scripts - how to run them cleanly

Lars Poulsen lpoulsen at afar.net
Tue May 4 19:51:24 UTC 2010 

>On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> >     * setsebool -P httpd_read_user_content 1
> >     * setsebool -P httpd_enable_home_dirs 1
> >     * setsebool -P httpd_read_user_content 1
> >     * ....
> >     * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> >     * chcon -t httpd_sys_content_t /home/httpd
> >     * chcon -R -t httpd_sys_content_t /home/httpd/html
> >     * chcon -R -t httpd_user_content_t /home/sales/serial
> >     * chcon -R -t htppd_user_content_t /home/sales/leads
> > But the one that baffles me the most is this one, which comes up when
> > I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> >
> > I *think* the "search" access is triggered when the script is launched.
> > SELinux says that / is labeled as user_home_dir_t, but this is not
> > true; ls -Zd confirms that it is indeed labeled as root_t. And even
> > if it were labeled user_home_dir_t, should the boolean
> > httpd_enable_home_dirs not make it allright ?

At 12:21 PM 5/4/2010, Dominick Grift wrote:
>Did you mount a seperate partition under /home or /home/*?
>The AVC denial also show the device in question. It may in fact be / 
>on the mounted partition and not your main /.
>I think a restorecon -R /home or /home/* should solve it though

Indeed, /home is a separate filesystem.
ls -Zd tells me that  /home is labeled home_root_t.
As shown above, /home/httpd is labeled httpd_sys_content_t.
What do you think is the "correct" label for them to allow them to 
house a CGI program?

Lars Poulsen


> > 
> -------------------------------------------------------------------------------------------------------------------------
> > Summary:
> >
> > SELinux is preventing /usr/bin/perl "search" access to /.
> >
> > Detailed Description:
> >
> > [SELinux is in permissive mode. This access was not denied.]
> >
> > SELinux denied access requested by serial.cgi. / may be a 
> mislabeled. / default
> > SELinux type is root_t, but its current type is user_home_dir_t. 
> Changing this
> > file back to the default type, may fix your problem.
> >
> > File contexts can be assigned to a file in the following ways.
> >
> >    * Files created in a directory receive the file context of the parent
> >      directory by default.
> >    * The SELinux policy might override the default label inherited from the
> >      parent directory by specifying a process running in context A
> > which creates
> >      a file in a directory labeled B will instead create the file 
> with label C.
> >      An example of this would be the dhcp client running with the
> > dhclient_t type
> >      and creating a file in the directory /etc. This file would
> > normally receive
> >      the etc_t type due to parental inheritance but instead the 
> file is labeled
> >      with the net_conf_t type because the SELinux policy specifies this.
> >    * Users can change the file context on a file using tools such 
> as chcon, or
> >      restorecon.
> >
> > This file could have been mislabeled either by user error, or if 
> an normally
> > confined application was run under the wrong domain.
> >
> > However, this might also indicate a bug in SELinux because the 
> file should not
> > have been labeled with this type.
> >
> > If you believe this is a bug, please file a bug report against 
> this package.
> >
> > Allowing Access:
> >
> > You can restore the default system context to this file by executing the
> > restorecon command. restorecon '/', if this file is a directory, you can
> > recursively restore using restorecon -R '/'.
> >
> > Fix Command:
> >
> > /sbin/restorecon '/'
> >
> > Additional Information:
> >
> > Source Context                system_u:system_r:httpd_sys_script_t:s0
> > Target Context                unconfined_u:object_r:user_home_dir_t:s0
> > Target Objects                / [ dir ]
> > Source                        serial.cgi
> > Source Path                   /usr/bin/perl
> > Port                          <Unknown>
> > Host                          shadow.afar.net
> > Source RPM Packages           perl-5.10.0-87.fc12
> > Target RPM Packages           filesystem-2.4.30-2.fc12
> > Policy RPM                    selinux-policy-3.6.32-113.fc12
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Permissive
> > Plugin Name                   restorecon
> > Host Name                     shadow.afar.net
> > Platform                      Linux shadow.afar.net 
> 2.6.32.11-99.fc12.i686.PAE
> >                                #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> > Alert Count                   6
> > First Seen                    Tue 04 May 2010 10:27:30 AM PDT
> > Last Seen                     Tue 04 May 2010 11:15:28 AM PDT
> > Local ID                      6cee89bd-3559-4483-9802-fa2dc320bd26
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> > avc:  denied  { search } for  pid=15632 comm="serial.cgi" name="/"
> > dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> >
> > node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> > arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> > a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> > euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> > ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>--
>selinux mailing list
>selinux at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list