-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 02:21 PM, Tony Molloy wrote: > On Thursday 02 December 2010 19:07:33 Dominick Grift wrote: >> On 12/02/2010 07:58 PM, Tony Molloy wrote: >>> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote: >>>> On 12/02/2010 07:27 PM, Tony Molloy wrote: >>>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote: >>>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote: >>>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote: >>>>>>>> On Thursday 02 December 2010 17:37:54 m.roth@xxxxxxxxx wrote: >>>>>>>>> Tony Molloy wrote: >>>>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth@xxxxxxxxx wrote: >>>>>>>>>>> Daniel J Walsh wrote: >>>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote: >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm running http on a fully updated Centos 5 system. >>>>>>>>>>>>> >>>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64 >>>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch >>>>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch >>>>>>>>>>>>> >>>>>>>>>>>>> I'm trying to run a cgi script from a user directory. >>>>>>>>>>> >>>>>>>>>>> <MVNCH> >>>>>>>>>>> >>>>>>>>>>>> Do you have httpd_suexec_disable_trans turned on? >>>>>>>>>>> >>>>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's >>>>>>>>>>> directory. Can't you create a directory ->under the apache >>>>>>>>> >>>>>>>>> <Directory><- that the >>>>>>>>> >>>>>>>>>>> users can put scripts in for testing? (I assume that once they're >>>>>>>>>>> good, they go into the real production location for .cgi.) >>>>>>>>>> >>>>>>>>>> Not so easily done ;-) >>>>>>>>>> >>>>>>>>>> This is a University environment with several hundred >>>>>>>>>> faculty/students wanting to use this server to run/check >>>>>>>>>> assignments. So they have ftp >>>>>>>>> >>>>>>>>> accounts >>>>>>>>> >>>>>>>>>> where they can upload any scripts to their public_html directory >>>>>>>>>> and run >>>>>>>>> >>>>>>>>> them >>>>>>>>> >>>>>>>>>> from there. >>>>>>>>> >>>>>>>>> I figured it was something like that. What I was thinking was >>>>>>>>> >>>>>>>>> /var/www/html/public_cgi/<students' directories> >>>>>>>>> >>>>>>>>> which would put them in a *legitimate* place for apache to be happy >>>>>>>>> with, and which selinux would be happy with. >>>>>>>>> >>>>>>>>> You *might* need to add them to a group named something like >>>>>>>>> pubcgi, and make the above group acceptable to selinux and apache. >>>>>>>>> >>>>>>>>> mark >>>>>>>> >>>>>>>> Interesting idea. I could give it a try next semester. >>>>>> >>>>>> Not sure if suexec would work if you set it up that way >>>>>> >>>>>> I've ~/public_html/cgi-bin >>>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just >>>>>> dandy with suexec. >>>>> >>>>> I'm not clear what you are saying here. >>>>> >>>>> My SELinux contexts >>>>> ------------------- >>>>> >>>>> cd /var/pub/ftp >>>>> >>>>> user directory >>>>> >>>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp >>>>> >>>>> cd healyp >>>>> >>>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t >>>>> public_html >>>>> >>>>> ^^^^^^ >>>>> >>>>> cd public_html >>>>> >>>>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t >>>>> cgi-bin >>>>> >>>>> ^^^ >>>>> >>>>> cd cgi-bin >>>>> >>>>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t >>>>> survey.cgi >>>>> >>>>> ^^^ >>>>> >>>>> Are you suggesting that ^^^ should be user instead of sys. Would that >>>>> make a difference. >>>> >>>> Well if that type exists in your distro than its preferred that you use >>>> it yes. if the httpd_user* types do not exist then you can just use >>>> http_sys* types. >>>> >>>> There are some minor differences. One of which is that http_user* types >>>> are user content, meaning users can manage and relabel it. Where >>>> httpd_sys* types are system content types and users *may* not be able to >>>> do all the things the would like to it >>>> >>>> I am not sure how that was designed on el5. But in el6 and fedora 14, >>>> you should use httpd_user* types in ~ in my opinion. >>>> >>>> But httpd_sys* types also work for the most part. its just not optimal >>> >>> Ok I don't want the users being able to relabel anything. They are mostly >>> students and cause enough problems as it is. >> >> well i am not saying they can relabel everything they just relabel to >> and from httpd_user* types. Could be useful. For example a student >> moving a script from his home directory to his public_html/cgi-bin >> directory could cause issue possibly requiring intervention if its not >> httpd_user* type. >> >> In my view a user should be able to restore context of all contents in >> his home dir. >> > > A user yes, a student no ;-) > > No, most of these students are computer music or digital media students who > are basically Windows or Mac users who have minimal Linux experience. > >> Therefore i would not use httpd_sys* types or public_content* types in >> users home directories. >> >> i would probably just >> >> adduser joe >> mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html >> mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t >> ~/public_html/cgi-bin >> > > They are not "home" directories. They are actually ftp home directories in > /var/ftp/pub. Students develop their scripts on their local machine and upload > them to the server using ftp. > > Thanks, > > Tony > >> Heck you wouldnt even have to set it up yourself, since your students >> have access to both types they could just do it themselves. >> >>> Tony >>> >>>>> Thanks, >>>>> >>>>> Tony >>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Tony >>>>>>> >>>>>>> It should not be necessary. public_html labeled correctly will work. >>>>>>> THe problem you are seeing is that this boolean was set causing >>>>>>> suexec to not work. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux miscfiles_read_public_files(httpd_suexec_t) Needs to be added, It is in RHEL6. I will get it into RHEL5 update. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz38nkACgkQrlYvE4MpobPZOQCfTXXCgiCU6LkaslxeyEkwMa3g ITIAoKUGTzuhJXhj/g+8n2VUSlbewyHO =NPyK -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
