Bug 566557
| Summary: | cgi scripts on nfs will not run | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jason M. Nielsen <jason.michael.nielsen> | |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 5.4 | CC: | dwalsh, mmalik | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 580568 (view as bug list) | Environment: | ||
| Last Closed: | 2010-03-30 07:51:08 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 580568 | |||
Miroslav, You need fs_nfs_entry_type(httpd_sys_script_t) fs_cifs_entry_type(httpd_sys_script_t) in apache.te Both for F12 and RHEL5.5 ######################################## ## <summary> ## Make general progams in nfs an entrypoint for ## the specified domain. ## </summary> ## <param name="domain"> ## <summary> ## The domain for which nfs_t is an entrypoint. ## </summary> ## </param> # interface(`fs_nfs_entry_type',` gen_require(` type nfs_t; ') domain_entry_file($1, nfs_t) ') ######################################## ## <summary> ## Make general progams in cifs an entrypoint for ## the specified domain. ## </summary> ## <param name="domain"> ## <summary> ## The domain for which cifs_t is an entrypoint. ## </summary> ## </param> # interface(`fs_cifs_entry_type',` gen_require(` type cifs_t; ') domain_entry_file($1, cifs_t) ') in filesystem.if Fixed in selinux-policy-2.4.6-275.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html |
Not sure if this is a "bug" but it might be more of a feature request or existing feature enhancement... Description of problem:I have user home dirs and public_html dirs on a nfs mount. All of this works fine with the appropriate booleans toggled. Each of the users also needs a cgi-bin directory which also resides on the same nfs mount. When this is attempted an AVC denial occurs. Seems like httpd_use_nfs would include this or perhaps another boolean. Version-Release number of selected component (if applicable): libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 selinux-policy-targeted-2.4.6-255.el5 libselinux-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 selinux-policy-2.4.6-255.el5 selinux-policy-devel-2.4.6-255.el5 How reproducible: Create a simple perl script. Setup nfs mounted user public_html dirs and setup cgi-bin apache functionality there. Hit the cgi via a web browser. Actual results: type=AVC msg=audit(1266510273.811:104938): avc: denied { entrypoint } for pid=4046 comm="httpd" path="/var/www/public_html/jnielsen/cgi-bin/test0.pl" dev=0:16 ino=142233 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file Expected results: CGI executes. Additional info: I spoke to dgrift on freenoe #selinux and they seemed to think it was odd what the script was running as and this might be a bug or perhaps I misunderstood.