how could it be achieved to run e.g. shutdown -h now from a CGI script on a system where SELinux is set to ENFORCING?
Thanks Walter
3 thoughts on - Running CGI Scripts With SELinux=ENFORCING With Priviledged Commands …
Short answer: don’t. You could probably create a custom selinux policy that allowed it but you’d be opening your system up to more security issues.
If it were me, I’d have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.
Set enforcing mode to “permissive”. Run the program you want to work under enforcing mode. Collect the AVC entries from
/var/log/audit/audit.log. Use “audit2allow -M” to create a new module.
Install the module. Set enforcing mode to “enforcing.”
I thought of such a mechanism; I also want to show some states which also need priviledged rights e.g. arp, iptables -L -n -v, … but these are many write access to the disk, shutdown/restart just generate one write access by the CGI script and the cron job deletes this generated file and does the shutdown or restart
where is the “best” directory I could do this “communication”?
e.g. /var/lib/box?
3 thoughts on - Running CGI Scripts With SELinux=ENFORCING With Priviledged Commands …
Short answer: don’t. You could probably create a custom selinux policy that allowed it but you’d be opening your system up to more security issues.
If it were me, I’d have the cgi drop a file in a known location, and have an external process (possibly started through cron) monitor the file, then run shutdown conditionally.
https://www.CentOS.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
Set enforcing mode to “permissive”. Run the program you want to work under enforcing mode. Collect the AVC entries from
/var/log/audit/audit.log. Use “audit2allow -M” to create a new module.
Install the module. Set enforcing mode to “enforcing.”
I thought of such a mechanism; I also want to show some states which also need priviledged rights e.g. arp, iptables -L -n -v, … but these are many write access to the disk, shutdown/restart just generate one write access by the CGI script and the cron job deletes this generated file and does the shutdown or restart
where is the “best” directory I could do this “communication”?
e.g. /var/lib/box?
Thanks, Walter