-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Slesarev wrote: > Hello! > > I want to access public_html files from CGI script, but can't do it - > got AVC error during reading README file from public_html dir: > > ----------------------------------------------------------------------- > [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 > > Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing > the format.cgi from using potentially mislabeled files <Unknown> > (unconfined_home_dir_t).#012 For complete SELinux messages. run > sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 > ----------------------------------------------------------------------- > > I have only one item with unconfined_home_dir_t type in the path to > README file: > > ----------------------------------------------------------------------- > [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null > && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > > /dev/null > > -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/README > drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html > drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/nuald > drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home > ----------------------------------------------------------------------- > > So, only my home dir have unconfined_home_dir_t type. But I do not want > to change it to httpd_sys_content_t type and I don't like this solution. > > The CGI script itself works fine either it have httpd_user_content_t > type now: > > ----------------------------------------------------------------------- > [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null > && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > > /dev/null > > -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/cgi-bin/format.cgi > drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/cgi-bin > drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html > drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/nuald > drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home > ----------------------------------------------------------------------- > > So the script only can't read files in public_html folder. What is right > way to fix it? > > The script itself is below and used as > http://localhost/~nuald/cgi-bin/format.cgi?file=README > <http://localhost/%7Enuald/cgi-bin/format.cgi?file=README> > ----------------------------------------------------------------------- > [nuald@elc6002s cgi-bin]$ cat format.cgi > > #!/usr/bin/perl -wT > > use strict; > use CGI qw/:standard/; > use IO::File; > use File::Spec; > use Cwd 'realpath'; > > print header; > my $filename = param('file') or die "Can be executed only as CGI"; > my $updir = File::Spec->updir(); > my $rel_path = File::Spec->catfile($updir, $filename); > my $path = realpath($rel_path) ; > my $file = IO::File->new($path,"<") or die "Can't open file $path"; > my $text = join "", <$file>; > $file->close or die "Can't close file"; > > print $text; > ----------------------------------------------------------------------- > > Thanks in advance. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What selinux policy are you running? rpm -q selinux-policy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHVCyjrlYvE4MpobMRAj//AKCY7DoTOEGQpXL6criBA8kOZthyIwCfVYTW jgaaqMBnr4qv3ob0YiqeJvM= =6KbB -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
