FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-01-2007, 12:24 AM
Alex Slesarev
 
Default CGI can't read public_html files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

I want to access public_html files from CGI script, but can't do it -
got AVC error during reading README file from public_html dir:

- -----------------------------------------------------------------------
[root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1

Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing
the format.cgi from using potentially mislabeled files <Unknown>
(unconfined_home_dir_t).#012 For complete SELinux messages. run
sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
- -----------------------------------------------------------------------

I have only one item with unconfined_home_dir_t type in the path to
README file:

- -----------------------------------------------------------------------
[nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
/dev/null

- -rw-rw-r-- nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html/README
drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
- -----------------------------------------------------------------------

So, only my home dir have unconfined_home_dir_t type. But I do not want
to change it to httpd_sys_content_t type and I don't like this solution.

The CGI script itself works fine either it have httpd_user_content_t
type now:

- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
/dev/null

- -rwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin/format.cgi
drwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin
drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
- -----------------------------------------------------------------------

So the script only can't read files in public_html folder. What is right
way to fix it?

The script itself is below and used as
http://localhost/~nuald/cgi-bin/format.cgi?file=README
- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ cat format.cgi

#!/usr/bin/perl -wT

use strict;
use CGI qw/:standard/;
use IO::File;
use File::Spec;
use Cwd 'realpath';

print header;
my $filename = param('file') or die "Can be executed only as CGI";
my $updir = File::Spec->updir();
my $rel_path = File::Spec->catfile($updir, $filename);
my $path = realpath($rel_path) ;
my $file = IO::File->new($path,"<") or die "Can't open file $path";
my $text = join "", <$file>;
$file->close or die "Can't close file";

print $text;
- -----------------------------------------------------------------------

Thanks in advance.
- --
Best regards, Alex Slesarev.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYz fNpt66MACgitJO
hR0isSJ+FDxHy7C8Izc+y7k=
=MDzY
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-01-2007, 12:29 AM
"Alex Slesarev"
 
Default CGI can't read public_html files

Hello!

I want to access public_html files from CGI script, but can't do it -
got AVC error during reading README file from public_html dir:

-----------------------------------------------------------------------

[root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1

Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing
the format.cgi from using potentially mislabeled files <Unknown>

(unconfined_home_dir_t).#012 For complete SELinux messages. run
sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
-----------------------------------------------------------------------

I have only one item with unconfined_home_dir_t type in the path to

README file:

-----------------------------------------------------------------------
[nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >

/dev/null

-rw-rw-r-- nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html/README
drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0

/home/nuald
drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
-----------------------------------------------------------------------

So, only my home dir have unconfined_home_dir_t type. But I do not want

to change it to httpd_sys_content_t type and I don't like this solution.

The CGI script itself works fine either it have httpd_user_content_t
type now:

-----------------------------------------------------------------------

[nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
/dev/null

-rwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0

/home/nuald/public_html/cgi-bin/format.cgi
drwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin
drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0

/home/nuald/public_html
drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
-----------------------------------------------------------------------


So the script only can't read files in public_html folder. What is right
way to fix it?

The script itself is below and used as

http://localhost/~nuald/cgi-bin/format.cgi?file=README
-----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ cat format.cgi

#!/usr/bin/perl -wT

use strict;

use CGI qw/:standard/;
use IO::File;
use File::Spec;
use Cwd 'realpath';

print header;
my $filename = param('file') or die "Can be executed only as CGI";
my $updir = File::Spec->updir();

my $rel_path = File::Spec->catfile($updir, $filename);
my $path = realpath($rel_path) ;
my $file = IO::File->new($path,"<") or die "Can't open file $path";
my $text = join "", <$file>;

$file->close or die "Can't close file";

print $text;
-----------------------------------------------------------------------

Thanks in advance.

--

Best regards, Alex Slesarev.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2007, 03:19 PM
Daniel J Walsh
 
Default CGI can't read public_html files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Slesarev wrote:
> Hello!
>
> I want to access public_html files from CGI script, but can't do it -
> got AVC error during reading README file from public_html dir:
>
> -----------------------------------------------------------------------
> [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1
>
> Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing
> the format.cgi from using potentially mislabeled files <Unknown>
> (unconfined_home_dir_t).#012 For complete SELinux messages. run
> sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
> -----------------------------------------------------------------------
>
> I have only one item with unconfined_home_dir_t type in the path to
> README file:
>
> -----------------------------------------------------------------------
> [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
> && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
> /dev/null
>
> -rw-rw-r-- nuald nuald system_ubject_r:httpd_user_content_t:s0
> /home/nuald/public_html/README
> drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
> /home/nuald/public_html
> drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0
> /home/nuald
> drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
> -----------------------------------------------------------------------
>
> So, only my home dir have unconfined_home_dir_t type. But I do not want
> to change it to httpd_sys_content_t type and I don't like this solution.
>
> The CGI script itself works fine either it have httpd_user_content_t
> type now:
>
> -----------------------------------------------------------------------
> [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
> && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
> /dev/null
>
> -rwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
> /home/nuald/public_html/cgi-bin/format.cgi
> drwxr-xr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
> /home/nuald/public_html/cgi-bin
> drwxrwxr-x nuald nuald system_ubject_r:httpd_user_content_t:s0
> /home/nuald/public_html
> drwx--x--x nuald nuald unconfined_ubject_r:unconfined_home_dir_t:s0
> /home/nuald
> drwxr-xr-x root root system_ubject_r:home_root_t:s0 /home
> -----------------------------------------------------------------------
>
> So the script only can't read files in public_html folder. What is right
> way to fix it?
>
> The script itself is below and used as
> http://localhost/~nuald/cgi-bin/format.cgi?file=README
> <http://localhost/%7Enuald/cgi-bin/format.cgi?file=README>
> -----------------------------------------------------------------------
> [nuald@elc6002s cgi-bin]$ cat format.cgi
>
> #!/usr/bin/perl -wT
>
> use strict;
> use CGI qw/:standard/;
> use IO::File;
> use File::Spec;
> use Cwd 'realpath';
>
> print header;
> my $filename = param('file') or die "Can be executed only as CGI";
> my $updir = File::Spec->updir();
> my $rel_path = File::Spec->catfile($updir, $filename);
> my $path = realpath($rel_path) ;
> my $file = IO::File->new($path,"<") or die "Can't open file $path";
> my $text = join "", <$file>;
> $file->close or die "Can't close file";
>
> print $text;
> -----------------------------------------------------------------------
>
> Thanks in advance.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What selinux policy are you running?

rpm -q selinux-policy


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVCyjrlYvE4MpobMRAj//AKCY7DoTOEGQpXL6criBA8kOZthyIwCfVYTW
jgaaqMBnr4qv3ob0YiqeJvM=
=6KbB
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org