awstats and selinux
Paul Howarth
paul at city-fan.org
Fri Apr 28 22:11:35 UTC 2006
On Fri, 2006-04-28 at 22:39 +0100, Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Lemmons wrote:
> <lots of snipped stuff>
> > Anyway, when I looked there I saw:
> >
> >
> > ...kernel: audit(1146243585.213:27): avc: denied { execute } for
> > pid=20973 comm="httpd" name="awstats.pl" dev=dm-0 ino=1082675
> > scontext=root:system_r:httpd_t
> > tcontext=system_u:object_r:usr_t
> so the selinux file context of the awstats perl script is wrong. OR at
> least it is set to something (usr_t) that apache (running in the httpd_t
> domain) is not permitted to execute.
>
> > tclass=file
> what happens if you do
> chcon -t httpd_sys_script_exec_t /path/to/awstats.pl
>
> system_u:object_r:httpd_sys_script_exec_t is the standard context for
> cgi scripts. httpd_t is allowed to run these.
>
> (you may need to do this for the other awstats scripts as well, if there
> are a few)
That's probably sufficient actually. The Extras awstats maintainer has
been working on adding SELinux support straight into the package, and
has written it up here:
http://fedoraproject.org/wiki/Packaging/SELinux
To make the context change survive a relabel, do:
# semanage fcontext -a -t httpd_sys_script_exec_t
'^/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
(that's all one line)
Paul.
More information about the fedora-list
mailing list