Aleksandar Milivojevic wrote:
> I have freshly installed CentOS 4 box, with Apache installed. I've
> placed some CGI programs into /var/www/cgi-bin, however SELinux is
> preventing the execution. One program is statically linked executable,
> and the other is shell script.
Please see full thread for complete details and full description of problem.
I've placed this problem on RHEL4 Bugzilla, and got an answer that
solved the problem completely:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150880
The problem with my configuration was that /var was mounted with nosuid
flag:
/dev/system_vg/var_vol /var ext3 nosuid 1 2
When partition is mounted nosuid, domain transitions are not possible.
Effectively this prevents CGI scripts from running. Mounting partition
with suid flag (default) solved the problem:
/dev/system_vg/var_vol /var ext3 defaults 1 2
So to summarize. To be able to run CGI programs under SELinux using
targeted policy:
1. Apache should run under httpd_t type.
2. CGI executable security context should include httpd_sys_script_exec_t.
3. httpd_enable_cgi SELinux boolean must be set to true (or 1).
4. Partition where CGI executable is located must be mounted with suid
flag (default).
IMO, good practice would be moving cgi-bin directory to partition such
as /usr, that could be mounted with ro (read-only) flag, and needs suid
and exec flags anyhow. That way, /var (that contains files/directories
writtable by Apache) can be mounted with rw,nosuid,noexec flags.
I wish to thank everyone for the feedback I got, and their time and
effort. Special thanks to Colin Walters of Red Hat for pointing effects
of nosuid/suid mount flag on SELinux policies.
--
Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
