Movable Type Plugins and SELinux
March 17th, 2006At work yesterday, I was setting up Movable Type 3.2 on a Red Hat Enterprise Linux 4 OS with SELinux enabled in Targeting mode. Movable Type worked just fine, except that it refused to discover its plugins. All were installed properly in the right directory, but MT just refused to recognize them. I eventually figured, by turning off SELinux, that it was the security policy that was causing the problem. More correctly, it was the way the cg-bin directory was labeled that was causing the problem.
The file context for the web server labels everything under /var/www/cgi-bin with the label httpd_sys_script_exec_t. The problem is that the policy associated with this label doesn’t allow reading the directories - it assumes that the path to each CGI executable is known in advance. But Movable Type’s plugins are discovered on the fly, by searching through the plugins directory for configuration files, and then executing them. The solution was to change the label for the cgi-bin directory to httpd_unconfined_script_exec_t.
To do this open the file
/etc/selinux/targeted/src/policy/file_contexts/program/apache.fcand change the line
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_tto
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_unconfined_script_exec_tThen go to directory
/etc/selinux/targeted/src/policy/And run
%make
%/usr/sbin/setfiles file_contexts/file_contexts /var/www/cgi-binto rebuild the policy and relabel the affected files.
This works for me, but my concern is that I may have inadvertantly weakened my security policy for apache more than I realize. I’ve looked at the differences between the two labels I mentioned above, and it looks I’m not opening any huge holes in my security, but my understanding of SELinux is not very deep, and there may be something there that I’m not seeing. I’ll go to the next Houston BALUG meeting and ask Mark Westerman. If anyone around here can tell me, it’s Mark.
March 17th, 2006 at 8:08 am
Double YAWN.