On Wed, 2005-08-17 at 19:10 +0200, Eric Tanguy wrote:
> Le mercredi 17 août 2005 à 12:35 +0100, Paul Howarth a écrit :
> > Eric Tanguy wrote:
> > > Le mercredi 17 août 2005 à 12:37 +0200, Eric Tanguy a écrit :
> > > If i disable selinux i can edit options view help and chat. So there is
> > > still some problem with selinux context. If someone have an idea ?
> >
> > As always with SELinux issues, look for the avc messages in
> > /var/log/messages, or /var/log/audit/audit.log if you're running auditd.
> >
> > Paul.
> >
> thanks but it's quite difficult to understand /var/log/audit/audit.log!
> The only lines i found in this file refering my problem (i think ...)
> are :
> type=AVC msg=audit(1124298167.251:3778508): avc: denied { read } for
> pid=3907 comm="irc.cgi" name="formats" dev=dm-0 ino=8323109
> scontext=system_u:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=dir
Your cgi script irc.cgi is trying to read a file called "formats", which
it's not allowed to do because that file has context
system_u:object_r:httpd_sys_script_exec_t. Does the "formats" file live
in /var/www/cgi-bin and is it a regular file, not a script? If so,
changing the context of that file (e.g. to httpd_sys_content_t) might
help.
> type=AVC msg=audit(1124298171.144:3812320): avc: denied { connectto }
> for pid=3922 comm="client-perl.cgi" name="sock"
> scontext=system_u:system_r:httpd_sys_script_t
> tcontext=system_u:system_r:httpd_sys_script_t tclass=unix_stream_socket
Your cgi script client-perl.cgi is trying to connect to a socket. Might
be a similar issue to the one above.
> But i can't understand where is the problem.
> If someone could help me ...
There are several approaches you could take.
First would be to try to get the contexts of the files right so that the
operations were allowed by existing policy.
Second would be to tweak the policy to allow the things your CGIs are
trying to do. The command:
# audit2allow -i /var/log/audit/audit.log -l
will show the rules that need to be added to the policy to allow all the
things that were denied by policy since the last policy reload. The
Apache SELinux FAQ at http://fedora.redhat.com/docs/selinux-apache-fc3/
includes details of customising policy.
A quick and dirty but relatively less secure third option would be to
change the context of the troublesome scripts to
httpd_unconfined_script_exec_t. This pretty well turns off SELinux
protection for the script and lets it do whatever it wants. This one's
mentioned in "man httpd_selinux".
Paul.
--
Paul Howarth <paul@xxxxxxxxxxxx>
