Hello,
how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING?
Thanks Walter
On Aug 20, 2016, at 15:00, Walter H. Walter.H@mathemainzel.info wrote:
Hello,
how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING?
Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues.
If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.
-- Jonathan Billings
On 20.08.2016 23:59, Jonathan Billings wrote:
On Aug 20, 2016, at 15:00, Walter H.Walter.H@mathemainzel.info wrote:
Hello,
how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING?
Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues.
If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.
I thought of such a mechanism; I also want to show some states which also need priviledged rights e.g. arp, iptables -L -n -v, ... but these are many write access to the disk, shutdown/restart just generate one write access by the CGI script and the cron job deletes this generated file and does the shutdown or restart
where is the "best" directory I could do this "communication"? e.g. /var/lib/box?
Thanks, Walter
On 08/20/2016 12:00 PM, Walter H. wrote:
how could it be achieved to run X from a CGI script on a system where SELinux is set to ENFORCING?
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-p...
Set enforcing mode to "permissive". Run the program you want to work under enforcing mode. Collect the AVC entries from /var/log/audit/audit.log. Use "audit2allow -M" to create a new module. Install the module. Set enforcing mode to "enforcing."