Problems with httpd and SElinux.

Paul Howarth paul at city-fan.org
Thu Nov 10 10:43:13 UTC 2005


Daniel B. Thurman wrote:
>>From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>Sent: Monday, November 07, 2005 9:30 AM
>>To: Daniel B. Thurman
>>>I was asked to post this information here.  To explain things,
>>>I have installed FrontPage extensions on FC4

,,,

>>From Paul Howarth, I tried:
> =============================================
> If you want httpd to be able to listen on port 8090, and you have the
> policy sources installed, you can do this by adding the following line
> to /etc/selinux/targeted/src/policy/net_contexts:
> 
> portcon tcp 8090  system_u:object_r:http_port_t
> 
> Then you need to compile and reload the security contexts:
> # make -C /etc/selinux/targeted/src/policy reload
> =============================================
> 
> This all compiles fine now.
> 
> Testing to see if httpd can now restart with the new policies:
> 1) setsebool -P httpd_disable_trans 0
> 2) Restart httpd for this to take effect: service httpd restart
> 
> Httpd can restart with no failure messages.  The httpd server
> now runs fine.
> 
> HOWEVER - Testing FrontPage client against my FC4 box FAILS to
> connect and the reason revealed in /var/log/httpd/error_log:
> 
> [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: Could not create key file "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in FrontPageInit().  Until this problem is fixed, the FrontPage security patch is disabled and the FrontPage extensions may not work correctly.
> 
> I suspect that there is a SElinux policy that is preventing the FP
> client program from creating and deleting the suidkey file it needs
> in order to startup and begin listening for FP Client requests. Please
> note that the process number is created and destroyed for the suidkey file
> and this is happening from within the httpd service file and has nothing
> to do with the FP client connection attempts.  SELinux policy is preventing
> the service file from creating and destroying this file.

There is no SELinux policy defined for anything under /usr/local, since 
it is entirely down to the user what goes in there. If you want Fedora's 
httpd to work with SELinux and CGI programs under /usr/local, you will 
need to set the file contexts appropriately yourself.

Without seeing the actual AVC messages you're getting, it's hard to say 
what the contexts should be. However, a useful guide to SELinux and 
httpd can be found at:

http://fedora.redhat.com/docs/selinux-apache-fc3/

In the section on customising policy, the document assumes you're 
running the "strict" policy, so you'll probably need to change "strict" 
to "targeted" wherever it occurs.

Paul.




More information about the fedora-list mailing list