I have read:
http://lists.centos.org/pipermail/centos/2005-March/003429.html, http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html
RedHat Selinux Documentation (PDF) (some parts)
and they helped me solve a some difficulties, including the necessity to mount /var/www with -o suid.
Now I'm getting these 2 errors in /var/log/messages whenever I execute a cgi:
%--------------------------
avc: denied { create } for pid=17995 comm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket
avc: denied { read } for pid=17995 comm="suexec" name="cert.pem" dev=dm-0 ino=520402 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file
%--------------------------
This is independent of the script being perl or sh, and despite the errors the cgi executes correctly.
'sestatus' reports:
httpd_builtin_scripting active
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs inactive
httpd_ssi_exec inactive
httpd_tty_comm inactive
httpd_unified inactive
Either httpd_ssi_exec or httpd_unified have made no difference in those errors.
When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs, those errors stop appearing.
So I think this problem has to do directly with selinux policy and mod_suexec.
Could this be a bug on selinux-policy-targeted, that doesn't bring 100% support for the "native" mod_suexec?
--
Vilela
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
