httpd controls ?
Colin Walters
walters at redhat.com
Wed Mar 30 18:56:31 UTC 2005
On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote:
> That's a very good point and really bears spelling out. How would one
> go about creating the new domain and then implementing the proper
> transition for just one set of CGI scripts? I ask because I (was)
> running Open WebMail and ran into the case where I needed to
> effectively disable SELinux controls over all CGI scripts to allow OWM
> to run. I would have preferred the case where these controls were
> removed *only* for the relavent scripts, allowing the remaining
> scripts to keep the protections afforded by the default policy.
Dan has written a new domain "httpd_unconfined_t" and corresponding
httpd_unconfined_script_exec_t which I believe is in the latest rawhide.
You can then mark specific CGI scripts such as ones that change user
passwords like so:
chcon -t httpd_unconfined_script_exec_t /path/to/my/passwd.cgi
Then the script will be unconfined when executed by httpd. Note that in
general this is fairly dangerous if the script is actually written in a
language like Python, since a malicious httpd_t process could set a
number of environment variables like PYTHONPATH before executing the
script which could easily lead to a compromise of the unconfined script.
I can't think of a good solution for this other than writing your own
little C program. Probably we need a specialized interpreter,
e.g. /bin/envexec which would take a list of environment variables to
preserve, and you could write a little script like:
#!/bin/envexec
/var/www/cgi-bin/myscript.cgi
Then you make that file executable and make its type be
httpd_unconfined_script_exec_t.
Maybe someone can think of a better way to create wrappers for cleaning
the environment without actually writing a new little C program.
More information about the fedora-selinux-list
mailing list