[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CGI Script permissions

Jochen Wiedmann wrote:
Paul Howarth wrote:

The simplest fix might be to change the file context of this particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.

The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).

Ideally it would be easy to create a subclass of CGI scripts and assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI scripts),
but that's beyond me at this moment.

As the script in question can indeed be called well-audited (basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with httpd_unconfined_script_exec_t.
That did the trick neatly.

Thanks very much,


Another alternative might be to write your own module

Create three files

# cat  >> myapache.te  << _EOF
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;

echo > myapache.if

# cat  >> myapache.te  << _EOF
/var/www/cgi-bin/myapache_script -- gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)

Then build a policy module.

make -f /usr/share/selinux/devel/Makefile

semodule -i myapache.pp

restorecon -F -v /var/www/cgi-bin/myapache_script

Then try it out.
Of course you might need additional rules.

fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]