Thanks for your advice, Paul Boddie! To answer Reimar Bauer about the use of CGI: I use it because it's simple to implement, and performance isn't an issue at present. I did look at mod_wsgi a long time ago and found it way too complex for simple usages of Moin.
>> SOLUTION: >> setsebool -P httpd_enable_cgi=on >> chcon -t httpd_unconfined_script_exec_t /.../cgi-bin/moin.cgi > > I'm not sure about the setsebool option, although I didn't set up Apache in my > environment that uses SELinux, but I found that I needed to give my CGI > script the httpd_sys_content_t type. That's interesting! It would be better to give moin.cgi minimal permissions. I find it really hard to get Moin to work under SELinux, and once it miraculously works, you have a hard time figuring out the minimal SELinux setup which would actually work :-( I saw the setsebool command on http://moinmo.in/HowTo/FedoraSELinux but I don't know whether it's really required. It would be great if someone would have the time to write a similar HowTo for RHEL 6.x, since I think there may be differences (the Fedora HowTo didn't work for me, but I may have made mistakes). > I'm using RHEL 6.3, so the above may be the solution. I also recommend using > semanage to make security context information permanent. For example: > > semanage fcontext -a -t httpd_sys_content_t "/.../cgi-bin/moin.cgi" The semanage command isn't installed on my RHEL 6.3 systems by default, so now I did "yum install policycoreutils-python" to add it. Reading the semanage man-page, it's not at all obvious to me what the difference between "chcon" and "semanage fcontext -a" is? > If you have other files that Apache processes need to access, it may be > necessary to set this type for those files. For example: > > semanage fcontext -a -t httpd_sys_content_t "/var/lib/moin(/.*)?" > > This sets the type for a /var/lib/moin directory containing any separate Wiki > configuration and data. > > To enforce security context information according to the policies stated > above, do the following: > > restorecon -v /.../cgi-bin/moin.cgi > restorecon -R -v /var/lib/moin > > This should ensure that files get labelled automatically. The restorecon man-page says that it sets default SELinux security contexts, whatever those may be? Yes, a deep study of SELinux is something which I never bothered to do ;-) Best regards, Ole ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
