httpd controls ?

Christofer C. Bell christofer.c.bell at
Wed Mar 30 15:32:00 UTC 2005

On Wed, 30 Mar 2005 17:55:36 +0800, Jeremy Ardley <jeremy at> wrote:
> Hi,
> I am experimenting with cgi-bin perl scripts to set specific user's
> passwords. The scripts correctly generate passwords when run from the
> bash prompt but silently do nothing when invoked on the web page.
> I assume this is a selinux issue and would like some pointers.

Check /var/log/messages for 'avc: denied' messages.  If you don't see
any, this is not an SELinux issue.  If you do see these messages, then
see below.
> 1.Is letting a cgi script change passwords a good idea?

This is more religious issue than anything else, in my opinion.  I
wouldn't allow it, personally.

> 2. If it is safe, how do I persuade selinux to let it happen?

Look into use of the audit2allow utility for converting denied
messages into rules that allow the behavior that was denied. The the
short of it is:

# cd /etc/selinux/targeted/src
# audit2allow -d -l -o domains/misc/local.te && make load

Repeat until your script works and then clean up the local.te file's
formatting (not necessary).  The long of it (and a good read) is the
Red Hat Enterprise Linux 4 SELinux Guide
 I'd suggest reading that, specifically section II before doing what
I've suggested here to make sure you have a full understanding of
what's going on.

Note that you are peeling back layers of SELinux protection by doing
this (by granting permissions rather than denying them).  In worst
case, this part of your system (in this case CGI scripts) will have
the same basic Linux DAC (discretionary access controls) protection
that you've been using since before SELinux was available.  You can't
make your system less secure than you would be without SELinux using
audit2allow, you can only put yourself in a state where SELinux is
effectively disabled.


"Build a man a fire and he will be warm for the rest of the night.  Set
a man on fire and he will be warm for the rest of his life."  -- Unknown

More information about the fedora-selinux-list mailing list