On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote: > That's a very good point and really bears spelling out. How would one > go about creating the new domain and then implementing the proper > transition for just one set of CGI scripts? I ask because I (was) > running Open WebMail and ran into the case where I needed to > effectively disable SELinux controls over all CGI scripts to allow OWM > to run. I would have preferred the case where these controls were > removed *only* for the relavent scripts, allowing the remaining > scripts to keep the protections afforded by the default policy. Dan has written a new domain "httpd_unconfined_t" and corresponding httpd_unconfined_script_exec_t which I believe is in the latest rawhide. You can then mark specific CGI scripts such as ones that change user passwords like so: chcon -t httpd_unconfined_script_exec_t /path/to/my/passwd.cgi Then the script will be unconfined when executed by httpd. Note that in general this is fairly dangerous if the script is actually written in a language like Python, since a malicious httpd_t process could set a number of environment variables like PYTHONPATH before executing the script which could easily lead to a compromise of the unconfined script. I can't think of a good solution for this other than writing your own little C program. Probably we need a specialized interpreter, e.g. /bin/envexec which would take a list of environment variables to preserve, and you could write a little script like: #!/bin/envexec /var/www/cgi-bin/myscript.cgi Then you make that file executable and make its type be httpd_unconfined_script_exec_t. Maybe someone can think of a better way to create wrappers for cleaning the environment without actually writing a new little C program.
