On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2), I tried to run CGI on user home directory.
After checked it run on permissive mode, chcon like following. chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
I found it does not work on enforcing mode. After I add "allow httpd_suexec_t user_home_t:dir { read };" it worked. Please add it to apache.te
--- Yuichi Nakamura
Yuichi Nakamura wrote:
On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2), I tried to run CGI on user home directory.
After checked it run on permissive mode, chcon like following. chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
I found it does not work on enforcing mode. After I add "allow httpd_suexec_t user_home_t:dir { read };" it worked. Please add it to apache.te
What is the context of ~/public_html ?
Yuichi Nakamura
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
Yuichi Nakamura wrote:
On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2), I tried to run CGI on user home directory.
After checked it run on permissive mode, chcon like following. chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
I found it does not work on enforcing mode. After I add "allow httpd_suexec_t user_home_t:dir { read };" it worked. Please add it to apache.te
What is the context of ~/public_html ?
context of public_html is $ ls -Z /home/ynakam/ drwxrwxr-x ynakam ynakam user_u:object_r:httpd_user_content_t public_html
Entry in audit.log is type=KERNEL msg=audit(1115674284.731:1699441): avc: denied { search } for name=ynakam dev=hda5 ino=32719 scontext=system_u:system_r:httpd_suexec_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
--- Yuichi Nakamura
Yuichi Nakamura wrote:
Daniel J Walsh wrote:
Yuichi Nakamura wrote:
On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2), I tried to run CGI on user home directory.
After checked it run on permissive mode, chcon like following. chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
I found it does not work on enforcing mode. After I add "allow httpd_suexec_t user_home_t:dir { read };" it worked. Please add it to apache.te
What is the context of ~/public_html ?
context of public_html is $ ls -Z /home/ynakam/ drwxrwxr-x ynakam ynakam user_u:object_r:httpd_user_content_t public_html
Entry in audit.log is type=KERNEL msg=audit(1115674284.731:1699441): avc: denied { search } for name=ynakam dev=hda5 ino=32719 scontext=system_u:system_r:httpd_suexec_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
Yuichi Nakamura
Do you have the httpd_enable_homedirs boolean set? I see policy that says:
if (httpd_enable_homedirs) { allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; }
Also your first message said
"allow httpd_suexec_t user_home_t:dir { read };"
was necessary
This error requires
"allow httpd_suexec_t user_home_dir_t:dir { search };"
Daniel J Walsh dwalsh@redhat.com wrote:
Do you have the httpd_enable_homedirs boolean set? I see policy that says: if (httpd_enable_homedirs) { allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; }
# getsebool httpd_enable_homedirs httpd_enable_homedirs --> active
Also your first message said "allow httpd_suexec_t user_home_t:dir { read };" was necessary
I'm sorry, it was my mistake. I pasted allow statement in another test;)
This error requires "allow httpd_suexec_t user_home_dir_t:dir { search };"
Yes, "allow httpd_suexec_t user_home_dir_t:dir search;" is correct.
I see policy that says: if (httpd_enable_homedirs) { allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; }
This appears in apache_user_domain macro, but it seems that apache_user_domain is not used in targeted policy.
--- Yuichi Nakamura
Yuichi Nakamura wrote:
Daniel J Walsh dwalsh@redhat.com wrote:
Do you have the httpd_enable_homedirs boolean set? I see policy that says: if (httpd_enable_homedirs) { allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; }
# getsebool httpd_enable_homedirs httpd_enable_homedirs --> active
Also your first message said "allow httpd_suexec_t user_home_t:dir { read };" was necessary
I'm sorry, it was my mistake. I pasted allow statement in another test;)
This error requires "allow httpd_suexec_t user_home_dir_t:dir { search };"
Yes, "allow httpd_suexec_t user_home_dir_t:dir search;" is correct.
I see policy that says: if (httpd_enable_homedirs) { allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; }
This appears in apache_user_domain macro, but it seems that apache_user_domain is not used in targeted policy.
Yes nice catch. I will fix.
Yuichi Nakamura
selinux@lists.fedoraproject.org