DevHeads.net

running CGI scripts with SELinux=ENFORCING with priviledged commands ...

Hello,

how could it be achieved to run
e.g.
shutdown -h now
from a CGI script on a system where SELinux is set to ENFORCING?

Thanks
Walter

Comments

Re: running CGI scripts with SELinux=ENFORCING with pri

By Gordon Messmer at 08/20/2016 - 22:59

On 08/20/2016 12:00 PM, Walter H. wrote:

<a href="https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html" title="https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html">https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-buildi...</a>

Set enforcing mode to "permissive". Run the program you want to work
under enforcing mode. Collect the AVC entries from
/var/log/audit/audit.log. Use "audit2allow -M" to create a new module.
Install the module. Set enforcing mode to "enforcing."

Re: running CGI scripts with SELinux=ENFORCING with pri

By Jonathan Billings at 08/20/2016 - 17:59

Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues.

If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.

Re: running CGI scripts with SELinux=ENFORCING with pri

By Walter H. at 08/21/2016 - 06:01

On 20.08.2016 23:59, Jonathan Billings wrote:
where is the "best" directory I could do this "communication"?
e.g. /var/lib/box?

Thanks,
Walter