On 20.08.2016 23:59, Jonathan Billings wrote:

...

On Aug 20, 2016, at 15:00, Walter H.Walter.H@mathemainzel.info wrote:

Hello,

how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING?

Short answer: don't. You could probably create a custom selinux policy that allowed it but you'd be opening your system up to more security issues.

If it were me, I'd have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.

I thought of such a mechanism; I also want to show some states which also need priviledged rights e.g. arp, iptables -L -n -v, ... but these are many write access to the disk, shutdown/restart just generate one write access by the CGI script and the cron job deletes this generated file and does the shutdown or restart

where is the "best" directory I could do this "communication"? e.g. /var/lib/box?

Thanks, Walter