A little script that runs in cron complained about stuff after I turned on
selinux for apache again;
mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t':
Permission denied
so I changed the selinux perms on these files. Hope it will work next time
I turn on selinux for apache. Because now its off again because of this:
Tested what gallery (http://gallery.sourceforge.net/) would think about
selinux. It didnt like it at all. It said that it has no rights to write in
the userfile.
And how would I know what I should set the perms to get it working?
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
is what is says. Same problem on an other vhost with an counter, just other
name= of course.
This is thing above is just the mainpage. It must be able to write dirs
also, when creating new albums. It must also be able to execute
/usr/bin/convert and maybe other programs also. Hmm, and it stores tmp
files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :)
I have no idea how many fixes that are needed to get everything working.
Is it any *generic* for apache-can-write-whatever-it wants in selinux?
As long that apache cant write in *system files* or execute anything as
root Im quite happy.
Did the fedora team expect problems like this to be created with the latest
selinux policy change or is it a suprise for you? Its fine to have it by
default in new release of fedora but not CHANGE it in a update.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
