Re: CGI can't read public_html files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Slesarev wrote:
> Hello!
> 
> I want to access public_html files from CGI script, but can't do it -
> got AVC error during reading README file from public_html dir:
> 
> -----------------------------------------------------------------------
> [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1
> 
> Nov 29 13:42:51 elc6002s setroubleshoot: #012    SELinux is preventing
> the format.cgi from using potentially mislabeled files <Unknown>
> (unconfined_home_dir_t).#012     For complete SELinux messages. run
> sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
> -----------------------------------------------------------------------
> 
> I have only one item with unconfined_home_dir_t type in the path to
> README file:
> 
> -----------------------------------------------------------------------
> [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
> && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
> /dev/null
> 
> -rw-rw-r--  nuald nuald system_u:object_r:httpd_user_content_t:s0
> /home/nuald/public_html/README
> drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
> /home/nuald/public_html
> drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
> /home/nuald
> drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
> -----------------------------------------------------------------------
> 
> So, only my home dir have unconfined_home_dir_t type. But I do not want
> to change it to httpd_sys_content_t type and I don't like this solution.
> 
> The CGI script itself works fine either it have httpd_user_content_t
> type now:
> 
> -----------------------------------------------------------------------
> [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
> && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` &&  cd ..; done && popd >
> /dev/null
> 
> -rwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
> /home/nuald/public_html/cgi-bin/format.cgi
> drwxr-xr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
> /home/nuald/public_html/cgi-bin
> drwxrwxr-x  nuald nuald system_u:object_r:httpd_user_content_t:s0
> /home/nuald/public_html
> drwx--x--x  nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
> /home/nuald
> drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /home
> -----------------------------------------------------------------------
> 
> So the script only can't read files in public_html folder. What is right
> way to fix it?
> 
> The script itself is below and used as
> http://localhost/~nuald/cgi-bin/format.cgi?file=README
> <http://localhost/%7Enuald/cgi-bin/format.cgi?file=README>
> -----------------------------------------------------------------------
> [nuald@elc6002s cgi-bin]$ cat format.cgi
> 
> #!/usr/bin/perl -wT
> 
> use strict;
> use CGI qw/:standard/;
> use IO::File;
> use File::Spec;
> use Cwd 'realpath';
> 
> print header;
> my $filename = param('file') or die "Can be executed only as CGI";
> my $updir = File::Spec->updir();
> my $rel_path = File::Spec->catfile($updir, $filename);
> my $path = realpath($rel_path) ;
> my $file = IO::File->new($path,"<") or die "Can't open file $path";
> my $text = join "", <$file>;
> $file->close or die "Can't close file";
> 
> print $text;
> -----------------------------------------------------------------------
> 
> Thanks in advance.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What selinux policy are you running?

rpm -q selinux-policy


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVCyjrlYvE4MpobMRAj//AKCY7DoTOEGQpXL6criBA8kOZthyIwCfVYTW
jgaaqMBnr4qv3ob0YiqeJvM=
=6KbB
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux