Hi,
I have read:
http://lists.centos.org/pipermail/centos/2005-March/003429.html,
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html
RedHat Selinux Documentation (PDF) (some parts)
and they helped me solve a some difficulties, including the necessity to
mount /var/www with -o suid.
Now I'm getting these 2 errors in /var/log/messages whenever I execute a
cgi:
%--------------------------
avc: denied { create } for pid=17995 comm="suexec"
scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t
tclass=netlink_route_socket
avc: denied { read } for pid=17995 comm="suexec"
name="cert.pem" dev=dm-0
ino=520402 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:usr_t tclass=lnk_file
%--------------------------
This is independent of the script being perl or sh, and despite the errors
the cgi executes correctly.
'sestatus' reports:
httpd_builtin_scripting active
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs inactive
httpd_ssi_exec inactive
httpd_tty_comm inactive
httpd_unified inactive
Either httpd_ssi_exec or httpd_unified have made no difference in those
errors.
When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs,
those errors stop appearing.
So I think this problem has to do directly with selinux policy and
mod_suexec.
Could this be a bug on selinux-policy-targeted, that doesn't bring 100%
support for the "native" mod_suexec?
--
Vilela
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060908/c6389b08/attachment-0002.html>
