perl/cgi script problem

Daniel J Walsh dwalsh at redhat.com
Fri Dec 3 19:34:22 UTC 2004 

Arthur Stephens wrote:

> Ok I thought I had this SELinux thing figured out atleast a little.
> Finally got httpd to startup.
> But now I have perl/cgi script problems.
> When trying to access my Genesis WebAuthoring System the script works 
> in the /cgi-bin/genesis/ directory displaying the login screen
> but when I go to log in I get this error message.
> ** 
> *Error:* could not write to file 
> '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' 
> - Permission denied - Permission denied
>  
> Plus these on the console
> Dec  2 21:04:37 webmail kernel: audit(1102050277.791:0): avc:  denied  
> { search } for  pid=2359 exe=/usr/bin/perl name=sys dev=proc 
> ino=-268435431 scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_t tclass=dir
> Dec  2 21:04:54 webmail kernel: audit(1102050294.906:0): avc:  denied  
> { search } for  pid=2360 exe=/usr/bin/perl 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
> Dec  2 21:04:54 webmail kernel: audit(1102050294.906:0): avc:  denied  
> { search } for  pid=2360 exe=/usr/bin/perl name=sys dev=proc 
> ino=-268435431 scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_t tclass=dir
> Dec  2 21:04:55 webmail kernel: audit(1102050295.132:0): avc:  denied  
> { write } for  pid=2360 exe=/usr/bin/perl name=.webauth_tokens 
> dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> Oh I know what this means so I added this to my custom.fc
> /var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
>  
> which is what I saw in file_contexts for /var/www/cgi-bin
>  
> make load
> fixfiles relabel
>  
> The log shows it relabled everything.
> But now I get...
>  
> Dec  3 13:42:38 webmail kernel: audit(1102110158.398:0): avc:  denied  
> { search } for  pid=1873 exe=/usr/bin/perl name=sys dev=proc 
> ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_t tclass=dir
> Dec  3 13:42:47 webmail kernel: audit(1102110167.739:0): avc:  denied  
> { search } for  pid=1874 exe=/usr/bin/perl 
> scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
> Dec  3 13:42:47 webmail kernel: audit(1102110167.740:0): avc:  denied  
> { search } for  pid=1874 exe=/usr/bin/perl name=sys dev=proc 
> ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:sysctl_t tclass=dir
> Dec  3 13:42:47 webmail kernel: audit(1102110167.964:0): avc:  denied  
> { write } for  pid=1874 exe=/usr/bin/perl name=.webauth_tokens 
> dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t 
> tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file
> So I ran out of what I know to do or maybe I messed things up.
>  
>  
> Arthur Stephens
> Sales Technician
> Ptera Wireless Internet
> astephens at ptera.net <mailto:astephens at ptera.net>
> 509-927-Ptera
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
We have placed an update to the SELinux policy that should fix this problem.
I am not sure it has made it into Fedora-Updates yet.  The latest policy
is available at

ftp://people.redhat.com/dwalsh/SELinux/FC3

Dan

More information about the fedora-selinux-list mailing list