CGI can't read public_html files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256 Hello! I want to access public_html files from CGI script, but can't do it - got AVC error during reading README file from public_html dir: - ----------------------------------------------------------------------- [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing the format.cgi from using potentially mislabeled files <Unknown> (unconfined_home_dir_t).#012 For complete SELinux messages. run sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 - ----------------------------------------------------------------------- I have only one item with unconfined_home_dir_t type in the path to README file: - ----------------------------------------------------------------------- [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/README drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So, only my home dir have unconfined_home_dir_t type. But I do not want to change it to httpd_sys_content_t type and I don't like this solution. The CGI script itself works fine either it have httpd_user_content_t type now: - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin/format.cgi drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So the script only can't read files in public_html folder. What is right way to fix it? The script itself is below and used as http://localhost/~nuald/cgi-bin/format.cgi?file=README - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ cat format.cgi #!/usr/bin/perl -wT use strict; use CGI qw/:standard/; use IO::File; use File::Spec; use Cwd 'realpath'; print header; my $filename = param('file') or die "Can be executed only as CGI"; my $updir = File::Spec->updir(); my $rel_path = File::Spec->catfile($updir, $filename); my $path = realpath($rel_path) ; my $file = IO::File->new($path,"<") or die "Can't open file $path"; my $text = join "", <$file>; $file->close or die "Can't close file"; print $text; - ----------------------------------------------------------------------- Thanks in advance. - -- Best regards, Alex Slesarev. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYz fNpt66MACgitJO hR0isSJ+FDxHy7C8Izc+y7k= =MDzY -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
CGI can't read public_html files
Hello!
I want to access public_html files from CGI script, but can't do it - got AVC error during reading README file from public_html dir: ----------------------------------------------------------------------- [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing the format.cgi from using potentially mislabeled files <Unknown> (unconfined_home_dir_t).#012 For complete SELinux messages. run sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 ----------------------------------------------------------------------- I have only one item with unconfined_home_dir_t type in the path to README file: ----------------------------------------------------------------------- [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/README drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home ----------------------------------------------------------------------- So, only my home dir have unconfined_home_dir_t type. But I do not want to change it to httpd_sys_content_t type and I don't like this solution. The CGI script itself works fine either it have httpd_user_content_t type now: ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin/format.cgi drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home ----------------------------------------------------------------------- So the script only can't read files in public_html folder. What is right way to fix it? The script itself is below and used as http://localhost/~nuald/cgi-bin/format.cgi?file=README ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ cat format.cgi #!/usr/bin/perl -wT use strict; use CGI qw/:standard/; use IO::File; use File::Spec; use Cwd 'realpath'; print header; my $filename = param('file') or die "Can be executed only as CGI"; my $updir = File::Spec->updir(); my $rel_path = File::Spec->catfile($updir, $filename); my $path = realpath($rel_path) ; my $file = IO::File->new($path,"<") or die "Can't open file $path"; my $text = join "", <$file>; $file->close or die "Can't close file"; print $text; ----------------------------------------------------------------------- Thanks in advance. -- Best regards, Alex Slesarev. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
CGI can't read public_html files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Alex Slesarev wrote: > Hello! > > I want to access public_html files from CGI script, but can't do it - > got AVC error during reading README file from public_html dir: > > ----------------------------------------------------------------------- > [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 > > Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing > the format.cgi from using potentially mislabeled files <Unknown> > (unconfined_home_dir_t).#012 For complete SELinux messages. run > sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 > ----------------------------------------------------------------------- > > I have only one item with unconfined_home_dir_t type in the path to > README file: > > ----------------------------------------------------------------------- > [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null > && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > > /dev/null > > -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/README > drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html > drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/nuald > drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home > ----------------------------------------------------------------------- > > So, only my home dir have unconfined_home_dir_t type. But I do not want > to change it to httpd_sys_content_t type and I don't like this solution. > > The CGI script itself works fine either it have httpd_user_content_t > type now: > > ----------------------------------------------------------------------- > [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null > && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > > /dev/null > > -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/cgi-bin/format.cgi > drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html/cgi-bin > drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 > /home/nuald/public_html > drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/nuald > drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home > ----------------------------------------------------------------------- > > So the script only can't read files in public_html folder. What is right > way to fix it? > > The script itself is below and used as > http://localhost/~nuald/cgi-bin/format.cgi?file=README > <http://localhost/%7Enuald/cgi-bin/format.cgi?file=README> > ----------------------------------------------------------------------- > [nuald@elc6002s cgi-bin]$ cat format.cgi > > #!/usr/bin/perl -wT > > use strict; > use CGI qw/:standard/; > use IO::File; > use File::Spec; > use Cwd 'realpath'; > > print header; > my $filename = param('file') or die "Can be executed only as CGI"; > my $updir = File::Spec->updir(); > my $rel_path = File::Spec->catfile($updir, $filename); > my $path = realpath($rel_path) ; > my $file = IO::File->new($path,"<") or die "Can't open file $path"; > my $text = join "", <$file>; > $file->close or die "Can't close file"; > > print $text; > ----------------------------------------------------------------------- > > Thanks in advance. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What selinux policy are you running? rpm -q selinux-policy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHVCyjrlYvE4MpobMRAj//AKCY7DoTOEGQpXL6criBA8kOZthyIwCfVYTW jgaaqMBnr4qv3ob0YiqeJvM= =6KbB -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| All times are GMT. The time now is 04:06 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.