Neophyte question re: httpd under SELinux
pacifico at drizzle.com
Wed Dec 21 06:26:45 UTC 2005
I'm working on a CGI program in C, but recently SELinux seems to have
tripped me up.
I started with Tom Boutell's cgic and an example CGI program (provided in
his source tree) that generates a JPEG on the fly. It ran fine months back
with the following script:
/usr/sbin/httpd -X -k start -d $dir -e debug
on my FC4 machine.
Now, it's time to start testing the program I wrote, but my Apache (version
2.0.54, installed from Fedora RPM, if it matters) won't start unless I
execute /usr/sbin/setenforce 0 before executing my script. (it took me a
while to figure that one out!). In fact, /usr/sbin/httpd -v won't even work.
I'm sure the SELinux policy has updated via yum since times when it worked,
and that explains the change. I tried checking "Disable SELinux protection
for httpd daemon" in the system-config-securitylevel dialog and relabelling
my filesystems, but I still need to execute /usr/sbin/setenforce 0
beforehand to run my script that starts httpd with my CGI program.
If it helps, the example CGI program (not the one I've written, but Tom
Boutell's that formerly ran) is in the directory
ls -l /home/myuser/Development/myproject/imageFromCGI_test/test outputs
drwxrwxr-x 2 myuser apache 4096 Sep 9 10:03 cgi-bin
drwxrwxr-x 2 myuser apache 4096 Sep 9 13:07 conf
-rwxr-xr-x 1 root root 63 Dec 20 14:38 debug_CGI
drwxrwxr-x 2 myuser apache 4096 Sep 9 12:08 htdocs
drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 logs
lrwxrwxrwx 1 root root 18 Sep 9 09:52 modules -> /etc/httpd/modules
drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 run
(probably only makes sense if you're accustomed to configuring apache; this
directory is essentially the argument to the Apache ServerRoot directive).
I inferred that the directory might be important since /sbin/service httpd
start works fine, regardless of state of aforementioned checkbox.
What bugs me is that I don't get any kind of warning... apache just never
Q: How do I get warnings? (grep avc /var/log/messages was of no help to my
Q: What else do I need to change to alter this behavior?
I understand that for a production machine, SELinux is a good thing. I
hadn't installed it when I used FC2 and hadn't had much problem with FC3 or
with FC4 until yesterday. I have to believe there is a better way than just
turning it off.
More information about the fedora-selinux-list