Re: http AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:

> On 12/02/2010 07:27 PM, Tony Molloy wrote:

> > On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:

> >> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:

> >>> On 12/02/2010 12:44 PM, Tony Molloy wrote:

> >>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote:

> >>>>> Tony Molloy wrote:

> >>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote:

> >>>>>>> Daniel J Walsh wrote:

> >>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:

> >>>>>>>>> Hi,

> >>>>>>>>>

> >>>>>>>>> I'm running http on a fully updated Centos 5 system.

> >>>>>>>>>

> >>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64

> >>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch

> >>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

> >>>>>>>>>

> >>>>>>>>> I'm trying to run a cgi script from a user directory.

> >>>>>>>

> >>>>>>> <MVNCH>

> >>>>>>>

> >>>>>>>> Do you have httpd_suexec_disable_trans turned on?

> >>>>>>>

> >>>>>>> Actually, what bothers me is trying to run a .cgi from a user's

> >>>>>>> directory. Can't you create a directory ->under the apache

> >>>>>

> >>>>> <Directory><- that the

> >>>>>

> >>>>>>> users can put scripts in for testing? (I assume that once they're

> >>>>>>> good, they go into the real production location for .cgi.)

> >>>>>>

> >>>>>> Not so easily done ;-)

> >>>>>>

> >>>>>> This is a University environment with several hundred

> >>>>>> faculty/students wanting to use this server to run/check

> >>>>>> assignments. So they have ftp

> >>>>>

> >>>>> accounts

> >>>>>

> >>>>>> where they can upload any scripts to their public_html directory and

> >>>>>> run

> >>>>>

> >>>>> them

> >>>>>

> >>>>>> from there.

> >>>>>

> >>>>> I figured it was something like that. What I was thinking was

> >>>>>

> >>>>> /var/www/html/public_cgi/<students' directories>

> >>>>>

> >>>>> which would put them in a *legitimate* place for apache to be happy

> >>>>> with, and which selinux would be happy with.

> >>>>>

> >>>>> You *might* need to add them to a group named something like pubcgi,

> >>>>> and make the above group acceptable to selinux and apache.

> >>>>>

> >>>>> mark

> >>>>

> >>>> Interesting idea. I could give it a try next semester.

> >>

> >> Not sure if suexec would work if you set it up that way

> >>

> >> I've ~/public_html/cgi-bin

> >> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy

> >> with suexec.

> >

> > I'm not clear what you are saying here.

> >

> > My SELinux contexts

> > -------------------

> >

> > cd /var/pub/ftp

> >

> > user directory

> >

> > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp

> >

> > cd healyp

> >

> > drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html

> >

> > ^^^^^^

> >

> > cd public_html

> >

> > drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin

> >

> > ^^^

> >

> > cd cgi-bin

> >

> > -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t

> > survey.cgi

> >

> > ^^^

> >

> > Are you suggesting that ^^^ should be user instead of sys. Would that

> > make a difference.

>

> Well if that type exists in your distro than its preferred that you use

> it yes. if the httpd_user* types do not exist then you can just use

> http_sys* types.

>

> There are some minor differences. One of which is that http_user* types

> are user content, meaning users can manage and relabel it. Where

> httpd_sys* types are system content types and users *may* not be able to

> do all the things the would like to it

>

> I am not sure how that was designed on el5. But in el6 and fedora 14,

> you should use httpd_user* types in ~ in my opinion.

>

> But httpd_sys* types also work for the most part. its just not optimal

>

Ok I don't want the users being able to relabel anything. They are mostly students and cause enough problems as it is.

Tony

> > Thanks,

> >

> > Tony

> >

> >>>> Thanks,

> >>>>

> >>>> Tony

> >>>

> >>> It should not be necessary. public_html labeled correctly will work.

> >>> THe problem you are seeing is that this boolean was set causing suexec

> >>> to not work.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux