-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 07:27 PM, Tony Molloy wrote: > On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: >> On 12/02/2010 06:47 PM, Daniel J Walsh wrote: >>> On 12/02/2010 12:44 PM, Tony Molloy wrote: >>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: >>>>> Tony Molloy wrote: >>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: >>>>>>> Daniel J Walsh wrote: >>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I'm running http on a fully updated Centos 5 system. >>>>>>>>> >>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 >>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch >>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch >>>>>>>>> >>>>>>>>> I'm trying to run a cgi script from a user directory. >>>>>>> >>>>>>> <MVNCH> >>>>>>> >>>>>>>> Do you have httpd_suexec_disable_trans turned on? >>>>>>> >>>>>>> Actually, what bothers me is trying to run a .cgi from a user's >>>>>>> directory. Can't you create a directory ->under the apache >>>>> >>>>> <Directory><- that the >>>>> >>>>>>> users can put scripts in for testing? (I assume that once they're >>>>>>> good, they go into the real production location for .cgi.) >>>>>> >>>>>> Not so easily done ;-) >>>>>> >>>>>> This is a University environment with several hundred faculty/students >>>>>> wanting to use this server to run/check assignments. So they have ftp >>>>> >>>>> accounts >>>>> >>>>>> where they can upload any scripts to their public_html directory and >>>>>> run >>>>> >>>>> them >>>>> >>>>>> from there. >>>>> >>>>> I figured it was something like that. What I was thinking was >>>>> >>>>> /var/www/html/public_cgi/<students' directories> >>>>> >>>>> which would put them in a *legitimate* place for apache to be happy >>>>> with, and which selinux would be happy with. >>>>> >>>>> You *might* need to add them to a group named something like pubcgi, >>>>> and make the above group acceptable to selinux and apache. >>>>> >>>>> mark >>>> >>>> Interesting idea. I could give it a try next semester. >> >> Not sure if suexec would work if you set it up that way >> >> I've ~/public_html/cgi-bin >> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy >> with suexec. >> > > I'm not clear what you are saying here. As for the suexec comment: i am not sure if seuxec works if you do not have the userdirs in /home/*/public_html. so suexec might not work if you let your users use: /var/www/html/public_cgi/<students' > > My SELinux contexts > ------------------- > > cd /var/pub/ftp > > user directory > > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp > > cd healyp > > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html > ^^^^^^ > cd public_html > > drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin > ^^^ > cd cgi-bin > > -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi > ^^^ > > > Are you suggesting that ^^^ should be user instead of sys. Would that make a > difference. > > Thanks, > > Tony >>>> Thanks, >>>> >>>> Tony >>> >>> It should not be necessary. public_html labeled correctly will work. >>> THe problem you are seeing is that this boolean was set causing suexec >>> to not work. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz361AACgkQMlxVo39jgT+C/QCgn76BDVIS4kisR/jTLKGr2EPR dZkAn3EgO5TDb+6CMGjPka/FZPaqSMB7 =eOdW -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
