Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message.
Error: could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' - Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file
So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this problem. I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
Which file?
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this
problem.
I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[root@webmail ~]# rpm -Uvh selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.42 is needed by selinux-policy-targeted-sources-1.17.30-2.42.noarch [root@webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) selinux-policy-targeted-sources-1.17.30-2.34.noarch
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this
problem.
I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
So do I force the upgrade?
----- Original Message ----- From: "Arthur Stephens" astephens@ptera.net To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 1:15 PM Subject: Re: perl/cgi script problem
[root@webmail ~]# rpm -Uvh selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.42 is needed by selinux-policy-targeted-sources-1.17.30-2.42.noarch [root@webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) selinux-policy-targeted-sources-1.17.30-2.34.noarch
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file
'/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this
problem.
I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Arthur Stephens wrote:
So do I force the upgrade?
----- Original Message ----- From: "Arthur Stephens" astephens@ptera.net To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 1:15 PM Subject: Re: perl/cgi script problem
[root@webmail ~]# rpm -Uvh selinux-policy-targeted-sources-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.42 is needed by selinux-policy-targeted-sources-1.17.30-2.42.noarch [root@webmail ~]# rpm -Uvh selinux-policy-targeted-1.17.30-2.42.noarch.rpm error: Failed dependencies: selinux-policy-targeted = 1.17.30-2.34 is needed by (installed) selinux-policy-targeted-sources-1.17.30-2.34.noarch
<snip> Nope, you update both the selinux-policy-targeted and selinux-policy-targeted-sources at the same time. thus: rpm -Uvh selinux-policy-targeted-*.rpm
HTH Richard
Ok so I did this upgrade but there must be something else I need to do because I still have the same errors
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this
problem.
I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Then I replaced the filecontents with the filecontents.rpmnew and policy.8 with policy.8.rpm new and now I get theses messages...
Dec 6 13:19:21 webmail kernel: audit(1102367961.429:0): avc: denied { unlink } for pid=1959 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Dec 6 13:19:22 webmail httpd: httpd startup succeeded Dec 6 13:19:22 webmail kernel: audit(1102367962.716:0): avc: denied { unlink } for pid=1960 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file
But httpd is not running because service httpd status yields.. httpd dead but subsys locked
: (
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Arthur Stephens" astephens@ptera.net To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Monday, December 06, 2004 10:19 AM Subject: Re: perl/cgi script problem
Ok so I did this upgrade but there must be something else I need to do because I still have the same errors
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Friday, December 03, 2004 11:34 AM Subject: Re: perl/cgi script problem
Arthur Stephens wrote:
Ok I thought I had this SELinux thing figured out atleast a little. Finally got httpd to startup. But now I have perl/cgi script problems. When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen but when I go to log in I get this error message. ** *Error:* could not write to file
'/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens'
- Permission denied - Permission denied
Plus these on the console Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Oh I know what this means so I added this to my custom.fc /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load fixfiles relabel
The log shows it relabled everything. But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net mailto:astephens@ptera.net 509-927-Ptera
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have placed an update to the SELinux policy that should fix this
problem.
I am not sure it has made it into Fedora-Updates yet. The latest policy is available at
ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, Dec 06, 2004 at 10:49:13AM -0800, Arthur Stephens wrote:
Then I replaced the filecontents with the filecontents.rpmnew and policy.8 with policy.8.rpm new and now I get theses messages...
Dec 6 13:19:21 webmail kernel: audit(1102367961.429:0): avc: denied { unlink } for pid=1959 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Dec 6 13:19:22 webmail httpd: httpd startup succeeded Dec 6 13:19:22 webmail kernel: audit(1102367962.716:0): avc: denied { unlink } for pid=1960 exe=/usr/sbin/httpd name=ssl_mutex.1959 dev=dm-0 ino=229025 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file
This shouldn't happen in the default config - did you regenerate your config files using system-config-httpd or something?
Find the "SSLMutex" line in /etc/httpd/conf.d/ssl.conf and replace it with:
SSLMutex default
and you should be OK.
joe
selinux@lists.fedoraproject.org