Re: selinux prohibiting sssd usage

[Adam Wead <amsterdamos@xxxxxxxxx>]

I can't think of any booleans off-hand, but you might try moving the location of the gitweb.cgi to a folder where SELinux expects cgi executables to be, such as /var/www.  Then if you relabel, it might put it in the correct security context to fix the error.  This is how I solve about 90% of my SELinux problems... just moving the files to the right location.
____________________________________________
Adam Wead
Systems and Digital Collections Librarian
Rock and Roll Hall of Fame and Museum
216.515.1960 (t)
215.515.1964 (f)

On Wed, Aug 10, 2011 at 12:32 PM, Paul Heinlein <heinlein@xxxxxxxxxx> wrote:

I've got a CentOS 6 machine that's slated to go into production
providing some web and development-repository services.

Part of the environment is gitweb, which works as expected with one
glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who
owns the repositories.

The audit log entries are pretty straightforward, e.g.,

type=AVC msg=audit(XXXXXXXXXXXX): avc:  denied { search } for
pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX
scontext=unconfined_u:system_r:httpd_git_script_t:s0
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

I'll use audit2allow to build a custom policy if need be, but what I'd
really like to hear is that there's an SELinux boolean that can be
tweaked or a file context that can be altered to make things work as
expected.

--
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos