On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote:
I have installed Sun's new asp for Linux (4.02) product on my Linux server. What the software does is provide asp support to httpd on Linux platforms. The Sun installer adds a module to the system so httpd can handle asp requests. When I try to start httpd I get the following messages. If I run setenforce 0 and start httpd, asp works great so the problem is with the way asp and selinux interact. I have to run with selinux enabled so disabling it is not a solution. What do I have to do to get this to work? I have contacted Sun but they don't know anything about selinux.
First, note that you can disable SELinux enforcement just for httpd without doing setenforce 0; see: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-%3Esecuri...
ylevel
Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied {write} for pid=8390 exe=/usr/sbin/httpd path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
Hmmm. Hard to say what this is. You could try:
chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard /mod_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
My suggestion:
chcon -h -t shlib_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
I used setenforce 0 just to check if asp actually installed correctly. I know that I can off selinux just for httpd, but as I said turn off selinux (or any part there of) is not an option at this time.
I did the two commands that you suggested and now I get the following messages so progress is being made:
Mar 2 16:49:18 cisit6 kernel: audit(1109803758.925:0): avc: denied { execute } for pid=5438 path=/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so dev=dm-0 ino=551452 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file Mar 2 16:49:18 cisit6 httpd: mod_casp2: failed to open /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so, aborting. Mar 2 16:49:18 cisit6 httpd: mod_casp2: /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so: failed to map segment from shared object: Permission denied Mar 2 16:49:18 cisit6 httpd: httpd startup failed
So I did a chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so
which got me to Starting httpd: casp2ap: error loading Sun Java System Active Server Pages dispatcher library - /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so casp2ap: /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so: failed to map segment from shared object: Permission denied
so then I did chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
and now it appears to be working fine. The simple tests have passed with flying colors. I have to test the database parts next.
So in short to get asp for linux working you have to do the following:
chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/ chcon -h -t shlib_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
Can this be added to the targeted policy in the future?
Thanks for all of your help,
Jason Dravet
On Wed, 2005-03-02 at 17:20 -0600, Jason Dravet wrote:
So in short to get asp for linux working you have to do the following:
chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
I'm not sure this is *really* what you want by the way - by default both httpd_t and httpd_sys_script_t have complete access to it (modulo DAC of course).
Without knowing more about the program I couldn't say.
chcon -h -t shlib_t /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
Can this be added to the targeted policy in the future?
Well...these regexps exist in types.fc already:
/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t /opt/.*/lib(64)?/.*.so(.[^/]*)* -- system_u:object_r:shlib_t
So I think actually you could have done:
restorecon /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so /opt/casp/server/lib/linux2_i686_optimized/*.so
Note that if the package was installed via RPM this labeling would have occurred automatically.
But we do have a difficulty with 3rd-party generic plugin installation and Apache; again Apache is basically unique among the targeted daemons in this respect.
selinux@lists.fedoraproject.org