|
On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: > On 12/02/2010 06:47 PM, Daniel J Walsh wrote: > > On 12/02/2010 12:44 PM, Tony Molloy wrote: > >> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: > >>> Tony Molloy wrote: > >>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: > >>>>> Daniel J Walsh wrote: > >>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I'm running http on a fully updated Centos 5 system. > >>>>>>> > >>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 > >>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch > >>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch > >>>>>>> > >>>>>>> I'm trying to run a cgi script from a user directory. > >>>>> > >>>>> <MVNCH> > >>>>> > >>>>>> Do you have httpd_suexec_disable_trans turned on? > >>>>> > >>>>> Actually, what bothers me is trying to run a .cgi from a user's > >>>>> directory. Can't you create a directory ->under the apache > >>> > >>> <Directory><- that the > >>> > >>>>> users can put scripts in for testing? (I assume that once they're > >>>>> good, they go into the real production location for .cgi.) > >>>> > >>>> Not so easily done ;-) > >>>> > >>>> This is a University environment with several hundred faculty/students > >>>> wanting to use this server to run/check assignments. So they have ftp > >>> > >>> accounts > >>> > >>>> where they can upload any scripts to their public_html directory and > >>>> run > >>> > >>> them > >>> > >>>> from there. > >>> > >>> I figured it was something like that. What I was thinking was > >>> > >>> /var/www/html/public_cgi/<students' directories> > >>> > >>> which would put them in a *legitimate* place for apache to be happy > >>> with, and which selinux would be happy with. > >>> > >>> You *might* need to add them to a group named something like pubcgi, > >>> and make the above group acceptable to selinux and apache. > >>> > >>> mark > >> > >> Interesting idea. I could give it a try next semester. > > Not sure if suexec would work if you set it up that way > > I've ~/public_html/cgi-bin > ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy > with suexec. > I'm not clear what you are saying here. My SELinux contexts ------------------- cd /var/pub/ftp user directory drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp cd healyp drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html ^^^^^^ cd public_html drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin ^^^ cd cgi-bin -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi ^^^ Are you suggesting that ^^^ should be user instead of sys. Would that make a difference. Thanks, Tony > >> Thanks, > >> > >> Tony > > > > It should not be necessary. public_html labeled correctly will work. > > THe problem you are seeing is that this boolean was set causing suexec > > to not work. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
