Apache CGI scripts - how to run them cleanly
Dominick Grift
domg472 at gmail.com
Tue May 4 20:16:21 UTC 2010
On Tue, May 04, 2010 at 12:51:24PM -0700, Lars Poulsen wrote:
>
> >On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> >> * setsebool -P httpd_read_user_content 1
> >> * setsebool -P httpd_enable_home_dirs 1
> >> * setsebool -P httpd_read_user_content 1
> >> * ....
> >> * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> >> * chcon -t httpd_sys_content_t /home/httpd
> >> * chcon -R -t httpd_sys_content_t /home/httpd/html
> >> * chcon -R -t httpd_user_content_t /home/sales/serial
> >> * chcon -R -t htppd_user_content_t /home/sales/leads
> >> But the one that baffles me the most is this one, which comes up when
> >> I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> >>
> >> I *think* the "search" access is triggered when the script is launched.
> >> SELinux says that / is labeled as user_home_dir_t, but this is not
> >> true; ls -Zd confirms that it is indeed labeled as root_t. And even
> >> if it were labeled user_home_dir_t, should the boolean
> >> httpd_enable_home_dirs not make it allright ?
>
> At 12:21 PM 5/4/2010, Dominick Grift wrote:
> >Did you mount a seperate partition under /home or /home/*?
> >The AVC denial also show the device in question. It may in fact be
> >/ on the mounted partition and not your main /.
> >I think a restorecon -R /home or /home/* should solve it though
>
> Indeed, /home is a separate filesystem.
> ls -Zd tells me that /home is labeled home_root_t.
> As shown above, /home/httpd is labeled httpd_sys_content_t.
> What do you think is the "correct" label for them to allow them to
> house a CGI program?
>
First i would like to say that i would not host websites from /home/*.
Secondly, you should use the semanage plus fcontext option to make your file context specifications persistent.
But i you want to use /home/* to host websites then i guess httpd_sys_content_t would be a good type for its webroot like it is for /var/www.
The issue here is that a directory at inode # 2 on device dm-7 is labeled user_home_dir_t and that the httpd_sys_script_t domain is not allowed to read it.
Either you allow it or you label the dir at inode 2 on dm-7 with a type that apache can search.
> Lars Poulsen
>
>
> >> -------------------------------------------------------------------------------------------------------------------------
> >> Summary:
> >>
> >> SELinux is preventing /usr/bin/perl "search" access to /.
> >>
> >> Detailed Description:
> >>
> >> [SELinux is in permissive mode. This access was not denied.]
> >>
> >> SELinux denied access requested by serial.cgi. / may be a
> >mislabeled. / default
> >> SELinux type is root_t, but its current type is user_home_dir_t.
> >Changing this
> >> file back to the default type, may fix your problem.
> >>
> >> File contexts can be assigned to a file in the following ways.
> >>
> >> * Files created in a directory receive the file context of the parent
> >> directory by default.
> >> * The SELinux policy might override the default label inherited from the
> >> parent directory by specifying a process running in context A
> >> which creates
> >> a file in a directory labeled B will instead create the
> >file with label C.
> >> An example of this would be the dhcp client running with the
> >> dhclient_t type
> >> and creating a file in the directory /etc. This file would
> >> normally receive
> >> the etc_t type due to parental inheritance but instead the
> >file is labeled
> >> with the net_conf_t type because the SELinux policy specifies this.
> >> * Users can change the file context on a file using tools
> >such as chcon, or
> >> restorecon.
> >>
> >> This file could have been mislabeled either by user error, or if
> >an normally
> >> confined application was run under the wrong domain.
> >>
> >> However, this might also indicate a bug in SELinux because the
> >file should not
> >> have been labeled with this type.
> >>
> >> If you believe this is a bug, please file a bug report against
> >this package.
> >>
> >> Allowing Access:
> >>
> >> You can restore the default system context to this file by executing the
> >> restorecon command. restorecon '/', if this file is a directory, you can
> >> recursively restore using restorecon -R '/'.
> >>
> >> Fix Command:
> >>
> >> /sbin/restorecon '/'
> >>
> >> Additional Information:
> >>
> >> Source Context system_u:system_r:httpd_sys_script_t:s0
> >> Target Context unconfined_u:object_r:user_home_dir_t:s0
> >> Target Objects / [ dir ]
> >> Source serial.cgi
> >> Source Path /usr/bin/perl
> >> Port <Unknown>
> >> Host shadow.afar.net
> >> Source RPM Packages perl-5.10.0-87.fc12
> >> Target RPM Packages filesystem-2.4.30-2.fc12
> >> Policy RPM selinux-policy-3.6.32-113.fc12
> >> Selinux Enabled True
> >> Policy Type targeted
> >> Enforcing Mode Permissive
> >> Plugin Name restorecon
> >> Host Name shadow.afar.net
> >> Platform Linux shadow.afar.net
> >2.6.32.11-99.fc12.i686.PAE
> >> #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> >> Alert Count 6
> >> First Seen Tue 04 May 2010 10:27:30 AM PDT
> >> Last Seen Tue 04 May 2010 11:15:28 AM PDT
> >> Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
> >> Line Numbers
> >>
> >> Raw Audit Messages
> >>
> >> node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> >> avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
> >> dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> >> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> >>
> >> node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> >> arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> >> a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> >> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> >> ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> >> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >--
> >selinux mailing list
> >selinux at lists.fedoraproject.org
> >https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100504/c7031546/attachment.bin
More information about the selinux
mailing list