On Wed, 30 Mar 2005 17:55:36 +0800, Jeremy Ardley <jeremy@xxxxxxxxxx> wrote: > Hi, > > I am experimenting with cgi-bin perl scripts to set specific user's > passwords. The scripts correctly generate passwords when run from the > bash prompt but silently do nothing when invoked on the web page. > > I assume this is a selinux issue and would like some pointers. Check /var/log/messages for 'avc: denied' messages. If you don't see any, this is not an SELinux issue. If you do see these messages, then see below. > 1.Is letting a cgi script change passwords a good idea? This is more religious issue than anything else, in my opinion. I wouldn't allow it, personally. > 2. If it is safe, how do I persuade selinux to let it happen? Look into use of the audit2allow utility for converting denied messages into rules that allow the behavior that was denied. The the short of it is: # cd /etc/selinux/targeted/src # audit2allow -d -l -o domains/misc/local.te && make load Repeat until your script works and then clean up the local.te file's formatting (not necessary). The long of it (and a good read) is the Red Hat Enterprise Linux 4 SELinux Guide (http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/). I'd suggest reading that, specifically section II before doing what I've suggested here to make sure you have a full understanding of what's going on. Note that you are peeling back layers of SELinux protection by doing this (by granting permissions rather than denying them). In worst case, this part of your system (in this case CGI scripts) will have the same basic Linux DAC (discretionary access controls) protection that you've been using since before SELinux was available. You can't make your system less secure than you would be without SELinux using audit2allow, you can only put yourself in a state where SELinux is effectively disabled. -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown