|
On Thursday 02 December 2010 18:49:34 Dominick Grift wrote: > On 12/02/2010 07:27 PM, Tony Molloy wrote: > > On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: > >> On 12/02/2010 06:47 PM, Daniel J Walsh wrote: > >>> On 12/02/2010 12:44 PM, Tony Molloy wrote: > >>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: > >>>>> Tony Molloy wrote: > >>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: > >>>>>>> Daniel J Walsh wrote: > >>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> I'm running http on a fully updated Centos 5 system. > >>>>>>>>> > >>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 > >>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch > >>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch > >>>>>>>>> > >>>>>>>>> I'm trying to run a cgi script from a user directory. > >>>>>>> > >>>>>>> <MVNCH> > >>>>>>> > >>>>>>>> Do you have httpd_suexec_disable_trans turned on? > >>>>>>> > >>>>>>> Actually, what bothers me is trying to run a .cgi from a user's > >>>>>>> directory. Can't you create a directory ->under the apache > >>>>> > >>>>> <Directory><- that the > >>>>> > >>>>>>> users can put scripts in for testing? (I assume that once they're > >>>>>>> good, they go into the real production location for .cgi.) > >>>>>> > >>>>>> Not so easily done ;-) > >>>>>> > >>>>>> This is a University environment with several hundred > >>>>>> faculty/students wanting to use this server to run/check > >>>>>> assignments. So they have ftp > >>>>> > >>>>> accounts > >>>>> > >>>>>> where they can upload any scripts to their public_html directory and > >>>>>> run > >>>>> > >>>>> them > >>>>> > >>>>>> from there. > >>>>> > >>>>> I figured it was something like that. What I was thinking was > >>>>> > >>>>> /var/www/html/public_cgi/<students' directories> > >>>>> > >>>>> which would put them in a *legitimate* place for apache to be happy > >>>>> with, and which selinux would be happy with. > >>>>> > >>>>> You *might* need to add them to a group named something like pubcgi, > >>>>> and make the above group acceptable to selinux and apache. > >>>>> > >>>>> mark > >>>> > >>>> Interesting idea. I could give it a try next semester. > >> > >> Not sure if suexec would work if you set it up that way > >> > >> I've ~/public_html/cgi-bin > >> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy > >> with suexec. > > > > I'm not clear what you are saying here. > > > > My SELinux contexts > > ------------------- > > > > cd /var/pub/ftp > > > > user directory > > > > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp > > > > cd healyp > > > > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html > > > > ^^^^^^ > > > > cd public_html > > > > drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin > > > > ^^^ > > > > cd cgi-bin > > > > -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t > > survey.cgi > > > > ^^^ > > > > Are you suggesting that ^^^ should be user instead of sys. Would that > > make a difference. > > Well if that type exists in your distro than its preferred that you use > it yes. if the httpd_user* types do not exist then you can just use > http_sys* types. > > There are some minor differences. One of which is that http_user* types > are user content, meaning users can manage and relabel it. Where > httpd_sys* types are system content types and users *may* not be able to > do all the things the would like to it > > I am not sure how that was designed on el5. But in el6 and fedora 14, > you should use httpd_user* types in ~ in my opinion. > > But httpd_sys* types also work for the most part. its just not optimal > Ok I don't want the users being able to relabel anything. They are mostly students and cause enough problems as it is. Tony > > Thanks, > > > > Tony > > > >>>> Thanks, > >>>> > >>>> Tony > >>> > >>> It should not be necessary. public_html labeled correctly will work. > >>> THe problem you are seeing is that this boolean was set causing suexec > >>> to not work. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
