CGI can't read public_html files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

I want to access public_html files from CGI script, but can't do it -
got AVC error during reading README file from public_html dir:

- -----------------------------------------------------------------------
[root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1

Nov 29 13:42:51 elc6002s setroubleshoot: #012    SELinux is preventing
the format.cgi from using potentially mislabeled files <Unknown>
(unconfined_home_dir_t).#012     For complete SELinux messages. run
sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
- -----------------------------------------------------------------------

I have only one item with unconfined_home_dir_t type in the path to
README file:

- -----------------------------------------------------------------------
[nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
/dev/null

- -rw-rw-r--  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/README
drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
- -----------------------------------------------------------------------

So, only my home dir have unconfined_home_dir_t type. But I do not want
to change it to httpd_sys_content_t type and I don't like this solution.

The CGI script itself works fine either it have httpd_user_content_t
type now:

- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
/dev/null

- -rwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin/format.cgi
drwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin
drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
- -----------------------------------------------------------------------

So the script only can't read files in public_html folder. What is right
way to fix it?

The script itself is below and used as
http://localhost/~nuald/cgi-bin/format.cgi?file=README
- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ cat format.cgi

#!/usr/bin/perl -wT

use strict;
use CGI qw/:standard/;
use IO::File;
use File::Spec;
use Cwd 'realpath';

print header;
my $filename = param('file') or die "Can be executed only as CGI";
my $updir = File::Spec->updir();
my $rel_path = File::Spec->catfile($updir, $filename);
my $path = realpath($rel_path) ;
my $file = IO::File->new($path,"<") or die "Can't open file $path";
my $text = join "", <$file>;
$file->close or die "Can't close file";

print $text;
- -----------------------------------------------------------------------

Thanks in advance.
- --
Best regards, Alex Slesarev.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYzfNpt66MACgitJO
hR0isSJ+FDxHy7C8Izc+y7k=
=MDzY
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux