|
On Thursday 02 December 2010 19:07:33 Dominick Grift wrote: > On 12/02/2010 07:58 PM, Tony Molloy wrote: > > On Thursday 02 December 2010 18:49:34 Dominick Grift wrote: > >> On 12/02/2010 07:27 PM, Tony Molloy wrote: > >>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: > >>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote: > >>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote: > >>>>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: > >>>>>>> Tony Molloy wrote: > >>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: > >>>>>>>>> Daniel J Walsh wrote: > >>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: > >>>>>>>>>>> Hi, > >>>>>>>>>>> > >>>>>>>>>>> I'm running http on a fully updated Centos 5 system. > >>>>>>>>>>> > >>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 > >>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch > >>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch > >>>>>>>>>>> > >>>>>>>>>>> I'm trying to run a cgi script from a user directory. > >>>>>>>>> > >>>>>>>>> <MVNCH> > >>>>>>>>> > >>>>>>>>>> Do you have httpd_suexec_disable_trans turned on? > >>>>>>>>> > >>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's > >>>>>>>>> directory. Can't you create a directory ->under the apache > >>>>>>> > >>>>>>> <Directory><- that the > >>>>>>> > >>>>>>>>> users can put scripts in for testing? (I assume that once they're > >>>>>>>>> good, they go into the real production location for .cgi.) > >>>>>>>> > >>>>>>>> Not so easily done ;-) > >>>>>>>> > >>>>>>>> This is a University environment with several hundred > >>>>>>>> faculty/students wanting to use this server to run/check > >>>>>>>> assignments. So they have ftp > >>>>>>> > >>>>>>> accounts > >>>>>>> > >>>>>>>> where they can upload any scripts to their public_html directory > >>>>>>>> and run > >>>>>>> > >>>>>>> them > >>>>>>> > >>>>>>>> from there. > >>>>>>> > >>>>>>> I figured it was something like that. What I was thinking was > >>>>>>> > >>>>>>> /var/www/html/public_cgi/<students' directories> > >>>>>>> > >>>>>>> which would put them in a *legitimate* place for apache to be happy > >>>>>>> with, and which selinux would be happy with. > >>>>>>> > >>>>>>> You *might* need to add them to a group named something like > >>>>>>> pubcgi, and make the above group acceptable to selinux and apache. > >>>>>>> > >>>>>>> mark > >>>>>> > >>>>>> Interesting idea. I could give it a try next semester. > >>>> > >>>> Not sure if suexec would work if you set it up that way > >>>> > >>>> I've ~/public_html/cgi-bin > >>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just > >>>> dandy with suexec. > >>> > >>> I'm not clear what you are saying here. > >>> > >>> My SELinux contexts > >>> ------------------- > >>> > >>> cd /var/pub/ftp > >>> > >>> user directory > >>> > >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp > >>> > >>> cd healyp > >>> > >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t > >>> public_html > >>> > >>> ^^^^^^ > >>> > >>> cd public_html > >>> > >>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t > >>> cgi-bin > >>> > >>> ^^^ > >>> > >>> cd cgi-bin > >>> > >>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t > >>> survey.cgi > >>> > >>> ^^^ > >>> > >>> Are you suggesting that ^^^ should be user instead of sys. Would that > >>> make a difference. > >> > >> Well if that type exists in your distro than its preferred that you use > >> it yes. if the httpd_user* types do not exist then you can just use > >> http_sys* types. > >> > >> There are some minor differences. One of which is that http_user* types > >> are user content, meaning users can manage and relabel it. Where > >> httpd_sys* types are system content types and users *may* not be able to > >> do all the things the would like to it > >> > >> I am not sure how that was designed on el5. But in el6 and fedora 14, > >> you should use httpd_user* types in ~ in my opinion. > >> > >> But httpd_sys* types also work for the most part. its just not optimal > > > > Ok I don't want the users being able to relabel anything. They are mostly > > students and cause enough problems as it is. > > well i am not saying they can relabel everything they just relabel to > and from httpd_user* types. Could be useful. For example a student > moving a script from his home directory to his public_html/cgi-bin > directory could cause issue possibly requiring intervention if its not > httpd_user* type. > > In my view a user should be able to restore context of all contents in > his home dir. > A user yes, a student no ;-) No, most of these students are computer music or digital media students who are basically Windows or Mac users who have minimal Linux experience. > Therefore i would not use httpd_sys* types or public_content* types in > users home directories. > > i would probably just > > adduser joe > mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html > mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t > ~/public_html/cgi-bin > They are not "home" directories. They are actually ftp home directories in /var/ftp/pub. Students develop their scripts on their local machine and upload them to the server using ftp. Thanks, Tony > Heck you wouldnt even have to set it up yourself, since your students > have access to both types they could just do it themselves. > > > Tony > > > >>> Thanks, > >>> > >>> Tony > >>> > >>>>>> Thanks, > >>>>>> > >>>>>> Tony > >>>>> > >>>>> It should not be necessary. public_html labeled correctly will work. > >>>>> THe problem you are seeing is that this boolean was set causing > >>>>> suexec to not work. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
