On Tuesday 17 July 2012 09:12:39 Ole Holm Nielsen wrote: > Thanks for your advice, Paul Boddie! To answer Reimar Bauer about the > use of CGI: I use it because it's simple to implement, and performance > isn't an issue at present. I did look at mod_wsgi a long time ago and > found it way too complex for simple usages of Moin.
I aim to take a closer look and integrate it into moinsetup. I've used systems where mod_wsgi is deployed, but I haven't deployed it myself. > >> SOLUTION: > >> setsebool -P httpd_enable_cgi=on > >> chcon -t httpd_unconfined_script_exec_t /.../cgi-bin/moin.cgi > > > > I'm not sure about the setsebool option, although I didn't set up Apache > > in my environment that uses SELinux, but I found that I needed to give my > > CGI script the httpd_sys_content_t type. > > That's interesting! It would be better to give moin.cgi minimal > permissions. I find it really hard to get Moin to work under SELinux, > and once it miraculously works, you have a hard time figuring out the > minimal SELinux setup which would actually work :-( Indeed. I had to download and unpack various policy packages to find out what they were doing, such is the absence of decent concrete documentation on the topic. > I saw the setsebool command on http://moinmo.in/HowTo/FedoraSELinux but > I don't know whether it's really required. It would be great if someone > would have the time to write a similar HowTo for RHEL 6.x, since I think > there may be differences (the Fedora HowTo didn't work for me, but I may > have made mistakes). I think it probably is. I see that httpd_enable_cgi is "on", and that I had to set httpd_can_network_connect to "on" as well, although I now wonder whether that wasn't for mod_proxy and not MySQL. > > I'm using RHEL 6.3, so the above may be the solution. I also recommend > > using semanage to make security context information permanent. For > > example: > > > > semanage fcontext -a -t httpd_sys_content_t "/.../cgi-bin/moin.cgi" > > The semanage command isn't installed on my RHEL 6.3 systems by default, > so now I did "yum install policycoreutils-python" to add it. > > Reading the semanage man-page, it's not at all obvious to me what the > difference between "chcon" and "semanage fcontext -a" is? I think semanage changes are supposed to be "permanent" so that the system remembers that the file is supposed to have the given policy. Then... > > If you have other files that Apache processes need to access, it may be > > necessary to set this type for those files. For example: > > > > semanage fcontext -a -t httpd_sys_content_t "/var/lib/moin(/.*)?" > > > > This sets the type for a /var/lib/moin directory containing any separate > > Wiki configuration and data. > > > > To enforce security context information according to the policies stated > > above, do the following: > > > > restorecon -v /.../cgi-bin/moin.cgi > > restorecon -R -v /var/lib/moin > > > > This should ensure that files get labelled automatically. > > The restorecon man-page says that it sets default SELinux security > contexts, whatever those may be? Yes, a deep study of SELinux is > something which I never bothered to do ;-) ...restorecon should be able to reset such files to the default policy as set by semanage. Otherwise, you have to remember which files you've set yourself and then chcon them all if they somehow get replaced or changed at some point. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
