Jim Perrin wrote:
> Try running 'setsebool httpd_enable_cgi true'
> as root. This should fix it.
> You may also want to check out http://fedora.redhat.com/docs/selinux-apache-fc3/
> as it has some good documentation. I assume RHEL4 has some selinux
> docs as well, but I haven't read through them yet.
I've checked httpd_enable_cgi boolean, and it was at its default value
(enabled):
# grep httpd_enable_cgi /etc/selinux/targeted/booleans
httpd_enable_cgi=1
# getsebool httpd_enable_cgi
httpd_enable_cgi --> active
Checked the document you and Marc were reffering to, and couldn't find
anything different in my configuration from what was described in that
document.
Running audit2allow on /var/log/messages produced this output:
# audit2allow -i /var/log/messages -l
allow httpd_t httpd_sys_script_exec_t:file execute_no_trans;
Looking into the source for targeted policy it seems as this is not
enabled. Bug in targeted policy rules?
Anyhow, I've tried to add similar line to
macros/program/apache_macros.te file, just after similar line for
r_dir_perms:
allow httpd_t httpd_$1_script_exec_t:file execute_no_trans;
And did "make realod". After doing this, execution of CGI scripts seems
to be working. The shell script CGI run fine, there was one ioctl
blocked by SELinux. For compiled CGI, I need to enable it to read
couple of files from the system first, but it seems to be working.
--
Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
