Walter H.
2016-Aug-20 19:00 UTC
[CentOS] running CGI scripts with SELinux=ENFORCING with priviledged commands ...
Hello, how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING? Thanks Walter
Jonathan Billings
2016-Aug-20 21:59 UTC
[CentOS] running CGI scripts with SELinux=ENFORCING with priviledged commands ...
> On Aug 20, 2016, at 15:00, Walter H. <Walter.H at mathemainzel.info> wrote: > > Hello, > > how could it be achieved to run > e.g. > shutdown -h now > from a CGI script on a system where SELinux is set to ENFORCING?Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues. If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally. -- Jonathan Billings
Gordon Messmer
2016-Aug-21 02:59 UTC
[CentOS] running CGI scripts with SELinux=ENFORCING with priviledged commands ...
On 08/20/2016 12:00 PM, Walter H. wrote:> how could it be achieved to run > X > from a CGI script on a system where SELinux is set to ENFORCING?https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html Set enforcing mode to "permissive". Run the program you want to work under enforcing mode. Collect the AVC entries from /var/log/audit/audit.log. Use "audit2allow -M" to create a new module. Install the module. Set enforcing mode to "enforcing."
Walter H.
2016-Aug-21 10:01 UTC
[CentOS] running CGI scripts with SELinux=ENFORCING with priviledged commands ...
On 20.08.2016 23:59, Jonathan Billings wrote:>> On Aug 20, 2016, at 15:00, Walter H.<Walter.H at mathemainzel.info> wrote: >> >> Hello, >> >> how could it be achieved to run >> e.g. >> shutdown -h now >> from a CGI script on a system where SELinux is set to ENFORCING? > > Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues. > > If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally. > >I thought of such a mechanism; I also want to show some states which also need priviledged rights e.g. arp, iptables -L -n -v, ... but these are many write access to the disk, shutdown/restart just generate one write access by the CGI script and the cron job deletes this generated file and does the shutdown or restart where is the "best" directory I could do this "communication"? e.g. /var/lib/box? Thanks, Walter