CGI script

Following is SE linux policy definition.
When permitting access to CGI scripts in system's '\tmp' directory,
which entries should be made in place of (A) and (B)

    policy_module(apache_ext, 1.0.1)

    require {
        type httpd_sys_script_t;
        type(A);
    }

    allow httpd_sys_script_t(B) :file_r_file_p
Chetan TamboliStudentAsked:
Who is Participating?
 
dfkeConnect With a Mentor Commented:
Hi,

it looks like that policy came from audit2allow.

So it might look something like:
require {
        type httpd_sys_content_t;
        type httpd_sys_script_t;
        class dir add_name;
        class file { write create };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
allow httpd_sys_script_t httpd_sys_content_t:file { write create };

Open in new window


Except for a couple of problems, the biggest being that all CGI Scripts would be able to read write all Apache content and you probably don't want that. The policy is also fragile since you might get an AVC like httpd_sys_script_t is not allowed to append to httpd_sys_content_t.

Better would be:
manage_files_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_t) 

Open in new window

So what's a better label that can be used? You can use httpd_sys_rw_content_t for the /tmp directory.
# semanage fcontext -a -t httpd_sys_rw_content_t "/tmp(/.*?)"
# restorecon -R -v /tmp

Open in new window

Cheers
2
 
dfkeCommented:
My comment has all the info to help out solving this question.

Cheers
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.