[Centos] cgi trouble with apache and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

ago@xxxxxx wrote:
>>Looking into the source for targeted policy it seems as this is not
>>enabled.  Bug in targeted policy rules?
> 
> Not necessarily. execute_no_tran means that you can execute a binary
> belong to another domain without transition (domain).
> 
>>Anyhow, I've tried to add similar line to
>>macros/program/apache_macros.te file, just after similar line for
> 
> it would be better to create a local.te under misc. Because of upgrades
> and cleaner system.
> 
>>blocked by SELinux.  For compiled CGI, I need to enable it to read
>>couple of files from the system first, but it seems to be working.
> 
> run apol to ensure that you don't weaken your system.

Thanks for the all of the above hints.  I'm still relatively new to 
SELinux, and still discovering things.  For now it is mostly "OK, this 
doesn't work, how to get it to work quickly".  I'm planning to dive into 
it more as time permits...

Anyhow, I still don't see why CGI scripts/programs were not working out 
of the box when placed in /var/www/cgi-bin.  This box is fresh install 
with almost default configuration.  I tought targeted policy should 
allow that by default (provided httpd_enable_cgi is set to true, which 
seems to be default setting)?  Am I the only one with this problem?  I 
have a separate partition for /var, mounted with nosuid flag, which 
might or might not make my system a bit different, however I don't see 
how this should affect SELinux policy (acutally, once this gets solved 
completely, I'll be moving cgi-bin to /usr, and mounting /var with 
noexec,nosuid).

Related to this, when I attempted to use mod_suexec in httpd.conf 
(something along the lines of "SuexecUserGroup apache apache", which 
should be user scritps run if suexec is not used), I got more SELinux 
related errors in /var/log/messages...

I found apol utility (/usr/share/setools/apol.tcl), however it seems to 
require awish, that i don't have installed.  Running it in normal wish 
results in error message saying that I need Tk with BWidgets compiled 
in...  What package do I need for awish?

-- 
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux