[Moin-user] Moin CGI script permissions on RedHat RHEL6.3 and CentOS6.3
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Tue Jul 17 03:12:39 EDT 2012
Thanks for your advice, Paul Boddie! To answer Reimar Bauer about the
use of CGI: I use it because it's simple to implement, and performance
isn't an issue at present. I did look at mod_wsgi a long time ago and
found it way too complex for simple usages of Moin.
>> SOLUTION:
>> setsebool -P httpd_enable_cgi=on
>> chcon -t httpd_unconfined_script_exec_t /.../cgi-bin/moin.cgi
>
> I'm not sure about the setsebool option, although I didn't set up Apache in my
> environment that uses SELinux, but I found that I needed to give my CGI
> script the httpd_sys_content_t type.
That's interesting! It would be better to give moin.cgi minimal
permissions. I find it really hard to get Moin to work under SELinux,
and once it miraculously works, you have a hard time figuring out the
minimal SELinux setup which would actually work :-(
I saw the setsebool command on http://moinmo.in/HowTo/FedoraSELinux but
I don't know whether it's really required. It would be great if someone
would have the time to write a similar HowTo for RHEL 6.x, since I think
there may be differences (the Fedora HowTo didn't work for me, but I may
have made mistakes).
> I'm using RHEL 6.3, so the above may be the solution. I also recommend using
> semanage to make security context information permanent. For example:
>
> semanage fcontext -a -t httpd_sys_content_t "/.../cgi-bin/moin.cgi"
The semanage command isn't installed on my RHEL 6.3 systems by default,
so now I did "yum install policycoreutils-python" to add it.
Reading the semanage man-page, it's not at all obvious to me what the
difference between "chcon" and "semanage fcontext -a" is?
> If you have other files that Apache processes need to access, it may be
> necessary to set this type for those files. For example:
>
> semanage fcontext -a -t httpd_sys_content_t "/var/lib/moin(/.*)?"
>
> This sets the type for a /var/lib/moin directory containing any separate Wiki
> configuration and data.
>
> To enforce security context information according to the policies stated
> above, do the following:
>
> restorecon -v /.../cgi-bin/moin.cgi
> restorecon -R -v /var/lib/moin
>
> This should ensure that files get labelled automatically.
The restorecon man-page says that it sets default SELinux security
contexts, whatever those may be? Yes, a deep study of SELinux is
something which I never bothered to do ;-)
Best regards, Ole
More information about the Moin-user
mailing list