From: Daniel J Walsh <dwalsh@redhat.com>
To: gyurdiev@redhat.com
Cc: "R. Steven Rainwater" <srainwater@ncc.com>, SELinux@tycho.nsa.gov
Subject: Re: dumb newbie questions
Date: Mon, 20 Jun 2005 14:06:58 -0400 [thread overview]
Message-ID: <42B705C2.5000002@redhat.com> (raw)
In-Reply-To: <1119286753.5061.11.camel@celtics.boston.redhat.com>
Ivan Gyurdiev wrote:
>>Okay, this is begining to make a little sense. So looking at my test
>>script again, when it's sitting in my home directory ls -alZ shows this:
>>
>>-rwxrwxr-x rsr:rsr root:object_r:user_home_t test.pl
>>
>>If I run it there it works fine. But when I move it anywhere in the
>>/var/www tree, ls -alZ shows this:
>>
>>-rwxrwxr-x rsr:rsr root:object_r:httpd_sys_content_t test.pl
>>
>>
>
>You need to make the distinction between move (as in mv)
>and copy (as in cp). The former doesn't change context (just like
>it doesn't change permissions).
>
>
>
>>And here it doesn't run (for me or root) but it will run for Apache.
>>
>>
>
>That might be a bug in policy...
>cc-ed dwalsh
>
>
>
>> So
>>that means that when I copy or move a script, the context automagically
>>changes to correspond to whatever security rules are allowed within that
>>directory? That still sounds to me like "context" means it runs if I put
>>it in one directory but doesn't run if I put it in another.
>>
>>
>
>Context in SELinux is mostly determined based on location.
>It uses organization based on the directory structure to label things
>properly. As Stephen explained, it matches based on regular expressions
>on the path.
>
>
>
>
>>I've discovered the chcon utility, so now I'm wondering if what I need
>>to do is change the context of my script to something that will allow
>>both Apache to run it as a CGI and ALSO allow root or another user to
>>run the script normally with stdout.
>>
>>
>
>So, as Eric mentioned, SELinux shouldn't be transitioning to a different
>context when executing a web script from the user shell. It sounds
>to me like this isn't what's happening, however. It sounds like
>unconfined_t simply can't access those files, which I suspect is a bug.
>
>Are you sure the denial you got when running your script as root from a
>shell said: scontext=...httpd.. ? It would help if you could double
>check that.
>
>
The latest targeted policy does/should not transition from unconfined_t
to httpd_sys_script_t. So the script should be allowed to output to the
terminal. If you update policy that is.
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-20 18:06 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-17 20:01 SELinux Integrated Logging Tool Brandon Pollet
2005-06-17 23:43 ` James Morris
2005-06-18 15:39 ` Steve G
2005-06-18 23:38 ` dumb newbie questions R. Steven Rainwater
2005-06-19 6:45 ` Ivan Gyurdiev
2005-06-19 16:40 ` Casey Schaufler
2005-06-19 19:51 ` Ivan Gyurdiev
2005-06-19 20:14 ` Casey Schaufler
2005-06-19 20:57 ` Ivan Gyurdiev
2005-06-19 21:31 ` Casey Schaufler
2005-06-19 22:10 ` Luke Kenneth Casson Leighton
2005-06-20 0:28 ` Casey Schaufler
2005-06-19 22:13 ` Luke Kenneth Casson Leighton
2005-06-20 0:16 ` Casey Schaufler
2005-06-20 19:21 ` Luke Kenneth Casson Leighton
2005-06-20 20:41 ` Casey Schaufler
2005-06-20 21:01 ` Valdis.Kletnieks
2005-06-20 21:36 ` Casey Schaufler
2005-06-22 9:48 ` Christopher Warner
2005-06-19 20:41 ` Ivan Gyurdiev
2005-06-20 3:34 ` R. Steven Rainwater
2005-06-20 4:45 ` Valdis.Kletnieks
2005-06-20 14:45 ` R. Steven Rainwater
2005-06-20 15:14 ` Ivan Gyurdiev
2005-06-20 15:29 ` R. Steven Rainwater
2005-06-20 15:44 ` Ivan Gyurdiev
2005-06-20 16:40 ` R. Steven Rainwater
2005-06-20 16:59 ` Ivan Gyurdiev
2005-06-20 17:35 ` Karl MacMillan
2005-06-20 18:06 ` R. Steven Rainwater
2005-06-20 18:18 ` Daniel J Walsh
2005-06-24 6:22 ` Russell Coker
2005-06-20 18:06 ` Daniel J Walsh [this message]
2005-06-20 18:57 ` Luke Kenneth Casson Leighton
2005-06-20 15:56 ` Stephen Smalley
2005-06-20 19:05 ` Luke Kenneth Casson Leighton
2005-06-20 16:28 ` Stephen Smalley
2005-06-20 18:49 ` Luke Kenneth Casson Leighton
2005-06-19 22:17 ` Luke Kenneth Casson Leighton
2005-06-20 4:11 ` Ivan Gyurdiev
2005-06-20 13:12 ` Trevor Vaughan
2005-06-20 15:21 ` R. Steven Rainwater
2005-06-20 15:40 ` Ivan Gyurdiev
2005-06-20 16:20 ` Stephen Smalley
2005-06-30 22:11 ` cgiemail and senmail policy R. Steven Rainwater
2005-07-03 14:21 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42B705C2.5000002@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=gyurdiev@redhat.com \
--cc=srainwater@ncc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.