CGI on user directory
Daniel J Walsh
dwalsh at redhat.com
Tue May 10 10:47:34 UTC 2005
Yuichi Nakamura wrote:
>Daniel J Walsh wrote:
>
>
>>Yuichi Nakamura wrote:
>>
>>
>>
>>>On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2),
>>>I tried to run CGI on user home directory.
>>>
>>>After checked it run on permissive mode,
>>>chcon like following.
>>>chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
>>>
>>>I found it does not work on enforcing mode.
>>>After I add "allow httpd_suexec_t user_home_t:dir { read };"
>>>it worked.
>>>Please add it to apache.te
>>>
>>>
>>What is the context of ~/public_html ?
>>
>>
>
>context of public_html is
>$ ls -Z /home/ynakam/
>drwxrwxr-x ynakam ynakam user_u:object_r:httpd_user_content_t public_html
>
>Entry in audit.log is
>type=KERNEL msg=audit(1115674284.731:1699441): avc: denied { search } for name=ynakam dev=hda5 ino=32719 scontext=system_u:system_r:httpd_suexec_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
>
>---
>Yuichi Nakamura
>
>
>
Do you have the httpd_enable_homedirs boolean set?
I see policy that says:
if (httpd_enable_homedirs) {
allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir {
getattr search };
}
Also your first message said
"allow httpd_suexec_t user_home_t:dir { read };"
was necessary
This error requires
"allow httpd_suexec_t user_home_dir_t:dir { search };"
--
More information about the fedora-selinux-list
mailing list