Apache CGI scripts - how to run them cleanly
Lars Poulsen
lpoulsen at afar.net
Tue May 4 19:51:24 UTC 2010
>On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> > * setsebool -P httpd_read_user_content 1
> > * setsebool -P httpd_enable_home_dirs 1
> > * setsebool -P httpd_read_user_content 1
> > * ....
> > * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> > * chcon -t httpd_sys_content_t /home/httpd
> > * chcon -R -t httpd_sys_content_t /home/httpd/html
> > * chcon -R -t httpd_user_content_t /home/sales/serial
> > * chcon -R -t htppd_user_content_t /home/sales/leads
> > But the one that baffles me the most is this one, which comes up when
> > I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> >
> > I *think* the "search" access is triggered when the script is launched.
> > SELinux says that / is labeled as user_home_dir_t, but this is not
> > true; ls -Zd confirms that it is indeed labeled as root_t. And even
> > if it were labeled user_home_dir_t, should the boolean
> > httpd_enable_home_dirs not make it allright ?
At 12:21 PM 5/4/2010, Dominick Grift wrote:
>Did you mount a seperate partition under /home or /home/*?
>The AVC denial also show the device in question. It may in fact be /
>on the mounted partition and not your main /.
>I think a restorecon -R /home or /home/* should solve it though
Indeed, /home is a separate filesystem.
ls -Zd tells me that /home is labeled home_root_t.
As shown above, /home/httpd is labeled httpd_sys_content_t.
What do you think is the "correct" label for them to allow them to
house a CGI program?
Lars Poulsen
> >
> -------------------------------------------------------------------------------------------------------------------------
> > Summary:
> >
> > SELinux is preventing /usr/bin/perl "search" access to /.
> >
> > Detailed Description:
> >
> > [SELinux is in permissive mode. This access was not denied.]
> >
> > SELinux denied access requested by serial.cgi. / may be a
> mislabeled. / default
> > SELinux type is root_t, but its current type is user_home_dir_t.
> Changing this
> > file back to the default type, may fix your problem.
> >
> > File contexts can be assigned to a file in the following ways.
> >
> > * Files created in a directory receive the file context of the parent
> > directory by default.
> > * The SELinux policy might override the default label inherited from the
> > parent directory by specifying a process running in context A
> > which creates
> > a file in a directory labeled B will instead create the file
> with label C.
> > An example of this would be the dhcp client running with the
> > dhclient_t type
> > and creating a file in the directory /etc. This file would
> > normally receive
> > the etc_t type due to parental inheritance but instead the
> file is labeled
> > with the net_conf_t type because the SELinux policy specifies this.
> > * Users can change the file context on a file using tools such
> as chcon, or
> > restorecon.
> >
> > This file could have been mislabeled either by user error, or if
> an normally
> > confined application was run under the wrong domain.
> >
> > However, this might also indicate a bug in SELinux because the
> file should not
> > have been labeled with this type.
> >
> > If you believe this is a bug, please file a bug report against
> this package.
> >
> > Allowing Access:
> >
> > You can restore the default system context to this file by executing the
> > restorecon command. restorecon '/', if this file is a directory, you can
> > recursively restore using restorecon -R '/'.
> >
> > Fix Command:
> >
> > /sbin/restorecon '/'
> >
> > Additional Information:
> >
> > Source Context system_u:system_r:httpd_sys_script_t:s0
> > Target Context unconfined_u:object_r:user_home_dir_t:s0
> > Target Objects / [ dir ]
> > Source serial.cgi
> > Source Path /usr/bin/perl
> > Port <Unknown>
> > Host shadow.afar.net
> > Source RPM Packages perl-5.10.0-87.fc12
> > Target RPM Packages filesystem-2.4.30-2.fc12
> > Policy RPM selinux-policy-3.6.32-113.fc12
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Permissive
> > Plugin Name restorecon
> > Host Name shadow.afar.net
> > Platform Linux shadow.afar.net
> 2.6.32.11-99.fc12.i686.PAE
> > #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> > Alert Count 6
> > First Seen Tue 04 May 2010 10:27:30 AM PDT
> > Last Seen Tue 04 May 2010 11:15:28 AM PDT
> > Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> > avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
> > dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> >
> > node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> > arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> > a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> > euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> > ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>--
>selinux mailing list
>selinux at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list