Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If it is in a users home directory then you need to use the booleans to enable access.
Note: (this seems to be in error on Fedora) Normally you would use httpd_enable_homedirs to enable access to home directories, then the user can set httpd_user_content_t on the public directory directory. httpd_user_script_t on a directory for cgi.
The CGI really ought to be in the httpd cgi-bin directory after a security validation study as it can grant a remote shell access to the apache account - which in turn gives access to other user data.
If it is in a users home directory then you need to use the booleans to enable access.
Note: (this seems to be in error on Fedora) Normally you would use httpd_enable_homedirs to enable access to home directories, then the user can set httpd_user_content_t on the public directory directory. httpd_user_script_t on a directory for cgi.
The CGI really ought to be in the httpd cgi-bin directory after a security validation study as it can grant a remote shell access to the apache account - which in turn gives access to other user data.
I am not setting anything specific for http server.
You are suggesting various types of SELinux security contexts to use.
I am just testing if I can set context type for any directory or file.
But I cannot do that with sudo. Why?
I am not setting anything specific for http server.
You are suggesting various types of SELinux security contexts to use.
I am just testing if I can set context type for any directory or file.
But I cannot do that with sudo. Why?
It all depends on WHERE things are defined to be allowed.
User directories are for users, not httpd_sys_content_t (which is read only) content. A "restorecon" will restore them to the defined proper label. httpd_usr_content_t is allowed, and the USER is permitted to set it.
Type script_exec_t won't be affected by restorecon because it is what SELinux calls a "customizable type," one that is frequently used on files that can be located in arbitrary places in the filesystem. The file /etc/selinux/targeted/contexts/customizable_types lists those types. You can use chcon to set the type to something else, but neither restorecon nor a complete system relabel operation will change it.
[EDIT] There is a "-F" option for restorecon that will force even customizable types to be reset.
Last edited by rknichols; 12-21-2016 at 03:37 PM.
Reason: Add mention of "-F" option
Type script_exec_t won't be affected by restorecon because it is what SELinux calls a "customizable type," one that is frequently used on files that can be located in arbitrary places in the filesystem. The file /etc/selinux/targeted/contexts/customizable_types lists those types. You can use chcon to set the type to something else, but neither restorecon nor a complete system relabel operation will change it.
I think that depends on the model...
What I see is "httpd_user_script_exec_t" is allowed in home directories (well, /home/public_html/cgi-bin/....) and won't be altered.
The list I find is:
httpd_user_content_t
httpd_user_script_exec_t
httpd_user_htaccess_t
httpd_user_ra_content_t
But this is on Fedora24 which I believe was used on CentOS7.
It would be best to look in /etc/selinux/targeted/contexts/file_contexts and file_contexts.homedirs to verify what is allowed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
