On Thu, 2005-08-18 at 14:38 +0530, Ankush Grover wrote:
> hey friends,
>
> I have configure cvs and viewcvs on FC3 but I am not able to access
> viewcvs when SELinux is on.
>
> The /var/log/messages contains these entries
>
> avc: denied { execute } for pid=5233 exe=/usr/sbin/httpd
> name=viewcvs.cgi dev=hda5 ino=198687 scontext=user_u:system_r:httpd_t
> tcontext=system_u:object_r:usr_t tclass=file
>
> When I switch off SELinux I am able to access the viewcvs through the browser.
>
> ls -lZ /usr/local/viewcvs
>
> drwxr-xr-x root root system_u:object_r:usr_t cgi
> -rwxr-xr-x root root system_u:object_r:usr_t cvsdbadmin
> -rw-r--r-- root root system_u:object_r:usr_t cvsgraph.conf
> drwxr-xr-x root root system_u:object_r:usr_t doc
> drwxr-xr-x root root system_u:object_r:lib_t lib
> -rwxr-xr-x root root system_u:object_r:usr_t loginfo-handler
> -rwxr-xr-x root root system_u:object_r:usr_t make-database
> -rwxr-xr-x root root system_u:object_r:usr_t standalone.py
> drwxr-xr-x root root system_u:object_r:usr_t templates
> -rw-r--r-- root root system_u:object_r:usr_t viewcvs.conf
>
>
> I also did this make -C /etc/selinux/targeted/src/policy reload
>
> restorecon -R /usr/local/viewcvs
>
> But still the problem is persisting.
Not surprising; I wouldn't expect there to be any policy for anything
under /usr/local because just about anything could be installed just
about anywhere under there. The targeted policy expects to find CGI
scripts for instance under /var/www/cgi-bin and hence assigns a type of
httpd_sys_script_exec_t to things in that directory, which can then be
executed by httpd (provided the httpd_enable_cgi boolean is enabled).
A good start might be:
# setsebool -P httpd_enable_cgi 1
# chcon -R -t httpd_sys_script_exec_t /usr/local/viewcvs/cgi
Further reading:
- man httpd_selinux
- http://fedora.redhat.com/docs/selinux-apache-fc3/
(there's a good section on customising policy in that document)
Paul.
--
Paul Howarth <paul@xxxxxxxxxxxx>
