-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello! I want to access public_html files from CGI script, but can't do it - got AVC error during reading README file from public_html dir: - ----------------------------------------------------------------------- [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing the format.cgi from using potentially mislabeled files <Unknown> (unconfined_home_dir_t).#012 For complete SELinux messages. run sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 - ----------------------------------------------------------------------- I have only one item with unconfined_home_dir_t type in the path to README file: - ----------------------------------------------------------------------- [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/README drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So, only my home dir have unconfined_home_dir_t type. But I do not want to change it to httpd_sys_content_t type and I don't like this solution. The CGI script itself works fine either it have httpd_user_content_t type now: - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin/format.cgi drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So the script only can't read files in public_html folder. What is right way to fix it? The script itself is below and used as http://localhost/~nuald/cgi-bin/format.cgi?file=README - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ cat format.cgi #!/usr/bin/perl -wT use strict; use CGI qw/:standard/; use IO::File; use File::Spec; use Cwd 'realpath'; print header; my $filename = param('file') or die "Can be executed only as CGI"; my $updir = File::Spec->updir(); my $rel_path = File::Spec->catfile($updir, $filename); my $path = realpath($rel_path) ; my $file = IO::File->new($path,"<") or die "Can't open file $path"; my $text = join "", <$file>; $file->close or die "Can't close file"; print $text; - ----------------------------------------------------------------------- Thanks in advance. - -- Best regards, Alex Slesarev. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYzfNpt66MACgitJO hR0isSJ+FDxHy7C8Izc+y7k= =MDzY -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
