Jochen Wiedmann wrote:
Paul Howarth wrote:
The simplest fix might be to change the file context of this particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.
The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).
Ideally it would be easy to create a subclass of CGI scripts and assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI scripts),
but that's beyond me at this moment.
As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
Another alternative might be to write your own module
Create three files
# cat >> myapache.te << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF
echo > myapache.if
# cat >> myapache.te << _EOF
/var/www/cgi-bin/myapache_script --
gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF
Then build a policy module.
make -f /usr/share/selinux/devel/Makefile
semodule -i myapache.pp
restorecon -F -v /var/www/cgi-bin/myapache_script
Then try it out.
Of course you might need additional rules.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
