[Moin-user] Moin CGI script permissions on RedHat RHEL6.3 and CentOS6.3
Reimar Bauer
rb.proj at gmail.com
Mon Jul 16 13:51:59 EDT 2012
Just a question
is there no mod_wsgi on sel linux?
Or why do you use CGI?
Reunar
Am 13.07.2012 21:10, schrieb Paul Boddie:
> On Friday 13 July 2012 13:43:44 Ole Holm Nielsen wrote:
>> We run Moin 1.9.4 on a RHEL 6.2 Linux server which was upgraded to RHEL
>> 6.3. After the upgrade we saw SELinux permission errors in the Apache
>> errorlog:
>>
>> python: can't open file '/var/www/wiki/cgi-bin/moin.cgi': [Errno 13]
>> Permission denied
>>
>> This is an issue with SELinux (as determined by turning off SELinux).
>> There exists a Moin HowTo http://moinmo.in/HowTo/FedoraSELinux, but it
>> doesn't seem to help any on RHEL6 Linux. After much googling and
>> experimentation I found the following:
>>
>> SOLUTION:
>> setsebool -P httpd_enable_cgi=on
>> chcon -t httpd_unconfined_script_exec_t /.../cgi-bin/moin.cgi
>
> I'm not sure about the setsebool option, although I didn't set up Apache in my
> environment that uses SELinux, but I found that I needed to give my CGI
> script the httpd_sys_content_t type.
>
>> Comments:
>> The first line allows CGI scripts in the first place - that's simple.
>> The second line disables SELinux completely for the moin.cgi script, see
>> "man httpd_selinux" (on Fedora this man-page contains more details).
>> The SELinux context httpd_sys_script_exec_t for moin.cgi recommended
>> elsewhere simply doesn't work on RHEL 6.3.
>>
>> I hope this may help others with RHEL6 Moin servers.
>
> I'm using RHEL 6.3, so the above may be the solution. I also recommend using
> semanage to make security context information permanent. For example:
>
> semanage fcontext -a -t httpd_sys_content_t "/.../cgi-bin/moin.cgi"
>
> If you have other files that Apache processes need to access, it may be
> necessary to set this type for those files. For example:
>
> semanage fcontext -a -t httpd_sys_content_t "/var/lib/moin(/.*)?"
>
> This sets the type for a /var/lib/moin directory containing any separate Wiki
> configuration and data.
>
> To enforce security context information according to the policies stated
> above, do the following:
>
> restorecon -v /.../cgi-bin/moin.cgi
> restorecon -R -v /var/lib/moin
>
> This should ensure that files get labelled automatically.
>
> Paul
>
> P.S. I'm not an SELinux expert and found that it is generally poorly
> documented, so any refinements to the above would be welcome.
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
More information about the Moin-user
mailing list