-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 07:58 PM, Tony Molloy wrote: > On Thursday 02 December 2010 18:49:34 Dominick Grift wrote: >> On 12/02/2010 07:27 PM, Tony Molloy wrote: >>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: >>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote: >>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote: >>>>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: >>>>>>> Tony Molloy wrote: >>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: >>>>>>>>> Daniel J Walsh wrote: >>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I'm running http on a fully updated Centos 5 system. >>>>>>>>>>> >>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 >>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch >>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch >>>>>>>>>>> >>>>>>>>>>> I'm trying to run a cgi script from a user directory. >>>>>>>>> >>>>>>>>> <MVNCH> >>>>>>>>> >>>>>>>>>> Do you have httpd_suexec_disable_trans turned on? >>>>>>>>> >>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's >>>>>>>>> directory. Can't you create a directory ->under the apache >>>>>>> >>>>>>> <Directory><- that the >>>>>>> >>>>>>>>> users can put scripts in for testing? (I assume that once they're >>>>>>>>> good, they go into the real production location for .cgi.) >>>>>>>> >>>>>>>> Not so easily done ;-) >>>>>>>> >>>>>>>> This is a University environment with several hundred >>>>>>>> faculty/students wanting to use this server to run/check >>>>>>>> assignments. So they have ftp >>>>>>> >>>>>>> accounts >>>>>>> >>>>>>>> where they can upload any scripts to their public_html directory and >>>>>>>> run >>>>>>> >>>>>>> them >>>>>>> >>>>>>>> from there. >>>>>>> >>>>>>> I figured it was something like that. What I was thinking was >>>>>>> >>>>>>> /var/www/html/public_cgi/<students' directories> >>>>>>> >>>>>>> which would put them in a *legitimate* place for apache to be happy >>>>>>> with, and which selinux would be happy with. >>>>>>> >>>>>>> You *might* need to add them to a group named something like pubcgi, >>>>>>> and make the above group acceptable to selinux and apache. >>>>>>> >>>>>>> mark >>>>>> >>>>>> Interesting idea. I could give it a try next semester. >>>> >>>> Not sure if suexec would work if you set it up that way >>>> >>>> I've ~/public_html/cgi-bin >>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just dandy >>>> with suexec. >>> >>> I'm not clear what you are saying here. >>> >>> My SELinux contexts >>> ------------------- >>> >>> cd /var/pub/ftp >>> >>> user directory >>> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp >>> >>> cd healyp >>> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t public_html >>> >>> ^^^^^^ >>> >>> cd public_html >>> >>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin >>> >>> ^^^ >>> >>> cd cgi-bin >>> >>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t >>> survey.cgi >>> >>> ^^^ >>> >>> Are you suggesting that ^^^ should be user instead of sys. Would that >>> make a difference. >> >> Well if that type exists in your distro than its preferred that you use >> it yes. if the httpd_user* types do not exist then you can just use >> http_sys* types. >> >> There are some minor differences. One of which is that http_user* types >> are user content, meaning users can manage and relabel it. Where >> httpd_sys* types are system content types and users *may* not be able to >> do all the things the would like to it >> >> I am not sure how that was designed on el5. But in el6 and fedora 14, >> you should use httpd_user* types in ~ in my opinion. >> >> But httpd_sys* types also work for the most part. its just not optimal >> > > Ok I don't want the users being able to relabel anything. They are mostly > students and cause enough problems as it is. well i am not saying they can relabel everything they just relabel to and from httpd_user* types. Could be useful. For example a student moving a script from his home directory to his public_html/cgi-bin directory could cause issue possibly requiring intervention if its not httpd_user* type. In my view a user should be able to restore context of all contents in his home dir. Therefore i would not use httpd_sys* types or public_content* types in users home directories. i would probably just adduser joe mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t ~/public_html/cgi-bin Heck you wouldnt even have to set it up yourself, since your students have access to both types they could just do it themselves. > > Tony > >>> Thanks, >>> >>> Tony >>> >>>>>> Thanks, >>>>>> >>>>>> Tony >>>>> >>>>> It should not be necessary. public_html labeled correctly will work. >>>>> THe problem you are seeing is that this boolean was set causing suexec >>>>> to not work. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz37nQACgkQMlxVo39jgT8LSQCgpXKgfSC7MG+4jXXBbeNy4+z6 HvwAoI4q8fYYEYlayepfQL6WJpphsIBW =/Nye -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
