Re: SELinux vs BackupPC web interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



George Avrunin wrote:
I have BackupPC-3.0.0-3.fc8 installed on a fully updated Fedora 8
machine (clean install, not an upgrade). I have put the BackupPC_Admin
script (the web interface) in /var/www/cgi-bin/BackupPC/, which is
where I had it in a non-rpm installation under FC 6, which is what I
had on this machine before F8.

By fiddling with booleans, I had gotten the web interface to run fine under
FC6.  But now I have to set selinux to permissive to use the web
interface.  I get the following sort of thing in sealert:

Summary
SELinux is preventing /usr/bin/sperl5.8.8 (httpd_sys_script_t)
"setuid" to (httpd_sys_script_t).

Detailed Description
SELinux denied access requested by /usr/bin/sperl5.8.8. It is not
expected that this access is required by /usr/bin/sperl5.8.8 and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.

Allowing Access
You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information

Source Context:	system_u:system_r:httpd_sys_script_t:s0
Target Context:	system_u:system_r:httpd_sys_script_t:s0
Target Objects:	None [ capability ]
Affected RPM Packages:	perl-suidperl-5.8.8-31.fc8 [application]
Policy RPM:	selinux-policy-3.0.8-47.fc8
Selinux Enabled:	True
Policy Type:	targeted
MLS Enabled:	True
Enforcing Mode:	Permissive
Plugin Name:	plugins.catchall
Host Name:	g2
Platform:	Linux g2 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007
i686 i686
Alert Count:	15
First Seen:	Sun 11 Nov 2007 12:18:32 PM EST
Last Seen:	Thu 15 Nov 2007 08:50:48 PM EST
Local ID:	3601b195-d0fb-4477-b969-c6f87a3a5fc9
Line Numbers:	

Raw Audit Messages :

avc: denied { setuid } for comm=sperl5.8.8 egid=48 euid=493
exe=/usr/bin/sperl5.8.8 exit=0 fsgid=48 fsuid=493 gid=48 items=0
pid=3645 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=48
subj=system_u:system_r:httpd_sys_script_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
For now, I'm working around it by setting selinux to permissive while
I use the web interface, and then setting it back to enforcing.  But
I'd rather sort out why it's not working--I've probably missed some
obvious configuration setting.  I would be grateful for any
suggestions for straightening this out.

Thanks,

  George

I take it the script begins
  #!/usr/bin/sperl

Change it to
  #!/usr/bin/perl
and see what you see.

--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

Please do not reply off-list

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux