Apache CGI scripts - how to run them cleanly

Dominick Grift domg472 at gmail.com
Tue May 4 20:16:21 UTC 2010 

On Tue, May 04, 2010 at 12:51:24PM -0700, Lars Poulsen wrote:
> 
> >On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> >>     * setsebool -P httpd_read_user_content 1
> >>     * setsebool -P httpd_enable_home_dirs 1
> >>     * setsebool -P httpd_read_user_content 1
> >>     * ....
> >>     * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> >>     * chcon -t httpd_sys_content_t /home/httpd
> >>     * chcon -R -t httpd_sys_content_t /home/httpd/html
> >>     * chcon -R -t httpd_user_content_t /home/sales/serial
> >>     * chcon -R -t htppd_user_content_t /home/sales/leads
> >> But the one that baffles me the most is this one, which comes up when
> >> I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> >>
> >> I *think* the "search" access is triggered when the script is launched.
> >> SELinux says that / is labeled as user_home_dir_t, but this is not
> >> true; ls -Zd confirms that it is indeed labeled as root_t. And even
> >> if it were labeled user_home_dir_t, should the boolean
> >> httpd_enable_home_dirs not make it allright ?
> 
> At 12:21 PM 5/4/2010, Dominick Grift wrote:
> >Did you mount a seperate partition under /home or /home/*?
> >The AVC denial also show the device in question. It may in fact be
> >/ on the mounted partition and not your main /.
> >I think a restorecon -R /home or /home/* should solve it though
> 
> Indeed, /home is a separate filesystem.
> ls -Zd tells me that  /home is labeled home_root_t.
> As shown above, /home/httpd is labeled httpd_sys_content_t.
> What do you think is the "correct" label for them to allow them to
> house a CGI program?
> 

First i would like to say that i would not host websites from /home/*.
Secondly, you should use the semanage plus fcontext option to make your file context specifications persistent.

But i you want to use /home/* to host websites then i guess httpd_sys_content_t would be a good type for its webroot like it is for /var/www.
The issue here is that a directory at inode # 2 on device dm-7 is labeled user_home_dir_t and that the httpd_sys_script_t domain is not allowed to read it.

Either you allow it or you label the dir at inode 2 on dm-7 with a type that apache can search.  

> Lars Poulsen
> 
> 
> >> -------------------------------------------------------------------------------------------------------------------------
> >> Summary:
> >>
> >> SELinux is preventing /usr/bin/perl "search" access to /.
> >>
> >> Detailed Description:
> >>
> >> [SELinux is in permissive mode. This access was not denied.]
> >>
> >> SELinux denied access requested by serial.cgi. / may be a
> >mislabeled. / default
> >> SELinux type is root_t, but its current type is user_home_dir_t.
> >Changing this
> >> file back to the default type, may fix your problem.
> >>
> >> File contexts can be assigned to a file in the following ways.
> >>
> >>    * Files created in a directory receive the file context of the parent
> >>      directory by default.
> >>    * The SELinux policy might override the default label inherited from the
> >>      parent directory by specifying a process running in context A
> >> which creates
> >>      a file in a directory labeled B will instead create the
> >file with label C.
> >>      An example of this would be the dhcp client running with the
> >> dhclient_t type
> >>      and creating a file in the directory /etc. This file would
> >> normally receive
> >>      the etc_t type due to parental inheritance but instead the
> >file is labeled
> >>      with the net_conf_t type because the SELinux policy specifies this.
> >>    * Users can change the file context on a file using tools
> >such as chcon, or
> >>      restorecon.
> >>
> >> This file could have been mislabeled either by user error, or if
> >an normally
> >> confined application was run under the wrong domain.
> >>
> >> However, this might also indicate a bug in SELinux because the
> >file should not
> >> have been labeled with this type.
> >>
> >> If you believe this is a bug, please file a bug report against
> >this package.
> >>
> >> Allowing Access:
> >>
> >> You can restore the default system context to this file by executing the
> >> restorecon command. restorecon '/', if this file is a directory, you can
> >> recursively restore using restorecon -R '/'.
> >>
> >> Fix Command:
> >>
> >> /sbin/restorecon '/'
> >>
> >> Additional Information:
> >>
> >> Source Context                system_u:system_r:httpd_sys_script_t:s0
> >> Target Context                unconfined_u:object_r:user_home_dir_t:s0
> >> Target Objects                / [ dir ]
> >> Source                        serial.cgi
> >> Source Path                   /usr/bin/perl
> >> Port                          <Unknown>
> >> Host                          shadow.afar.net
> >> Source RPM Packages           perl-5.10.0-87.fc12
> >> Target RPM Packages           filesystem-2.4.30-2.fc12
> >> Policy RPM                    selinux-policy-3.6.32-113.fc12
> >> Selinux Enabled               True
> >> Policy Type                   targeted
> >> Enforcing Mode                Permissive
> >> Plugin Name                   restorecon
> >> Host Name                     shadow.afar.net
> >> Platform                      Linux shadow.afar.net
> >2.6.32.11-99.fc12.i686.PAE
> >>                                #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> >> Alert Count                   6
> >> First Seen                    Tue 04 May 2010 10:27:30 AM PDT
> >> Last Seen                     Tue 04 May 2010 11:15:28 AM PDT
> >> Local ID                      6cee89bd-3559-4483-9802-fa2dc320bd26
> >> Line Numbers
> >>
> >> Raw Audit Messages
> >>
> >> node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> >> avc:  denied  { search } for  pid=15632 comm="serial.cgi" name="/"
> >> dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> >> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> >>
> >> node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> >> arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> >> a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> >> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> >> ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> >> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >--
> >selinux mailing list
> >selinux at lists.fedoraproject.org
> >https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100504/c7031546/attachment.bin

More information about the selinux mailing list