viewcvs problem with SELinux

Paul Howarth paul at city-fan.org
Thu Aug 18 17:11:47 UTC 2005 

On Thu, 2005-08-18 at 14:38 +0530, Ankush Grover wrote:
> hey friends,
> 
>  I have configure cvs and viewcvs on FC3  but I am not able to access
> viewcvs when SELinux is on.
> 
> The /var/log/messages contains these entries
> 
> avc:  denied  { execute } for  pid=5233 exe=/usr/sbin/httpd
> name=viewcvs.cgi dev=hda5 ino=198687 scontext=user_u:system_r:httpd_t
> tcontext=system_u:object_r:usr_t tclass=file
> 
> When I switch off SELinux I am able to access the viewcvs through the browser.
> 
> ls -lZ /usr/local/viewcvs
> 
> drwxr-xr-x  root   root     system_u:object_r:usr_t          cgi
> -rwxr-xr-x  root     root     system_u:object_r:usr_t          cvsdbadmin
> -rw-r--r--  root     root     system_u:object_r:usr_t          cvsgraph.conf
> drwxr-xr-x  root     root     system_u:object_r:usr_t          doc
> drwxr-xr-x  root     root     system_u:object_r:lib_t          lib
> -rwxr-xr-x  root     root     system_u:object_r:usr_t          loginfo-handler
> -rwxr-xr-x  root     root     system_u:object_r:usr_t          make-database
> -rwxr-xr-x  root     root     system_u:object_r:usr_t          standalone.py
> drwxr-xr-x  root     root     system_u:object_r:usr_t          templates
> -rw-r--r--  root     root     system_u:object_r:usr_t          viewcvs.conf
> 
> 
> I also did this make -C /etc/selinux/targeted/src/policy reload
> 
> restorecon -R /usr/local/viewcvs
> 
> But still the problem is persisting.

Not surprising; I wouldn't expect there to be any policy for anything
under /usr/local because just about anything could be installed just
about anywhere under there. The targeted policy expects to find CGI
scripts for instance under /var/www/cgi-bin and hence assigns a type of
httpd_sys_script_exec_t to things in that directory, which can then be
executed by httpd (provided the httpd_enable_cgi boolean is enabled).

A good start might be:
# setsebool -P httpd_enable_cgi 1
# chcon -R -t httpd_sys_script_exec_t /usr/local/viewcvs/cgi

Further reading:
- man httpd_selinux
- http://fedora.redhat.com/docs/selinux-apache-fc3/
  (there's a good section on customising policy in that document)

Paul.
-- 
Paul Howarth <paul at city-fan.org>

More information about the fedora-list mailing list