selinux and ASP for Linux

Jason Dravet dravet at calumet.purdue.edu
Wed Mar 2 23:20:00 UTC 2005 

>On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote:
>>I have installed Sun's new asp for Linux (4.02) product on my Linux
>>server.
>>What the software does is provide asp support to httpd on Linux platforms.
>>The Sun installer adds a module to the system so httpd can handle asp
>>requests.  When I try to start httpd I get the following messages.  If I
>>run
>>setenforce 0 and start httpd, asp works great so the problem is with the
>>way
>>asp and selinux interact.  I have to run with selinux enabled so disabling
>>it is not a solution.  What do I have to do to get this to work?  I have
>>contacted Sun but they don't know anything about selinux.
>
>First, note that you can disable SELinux enforcement just for httpd
>without doing setenforce 0; see:
>http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c->securit
ylevel
>
>>Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied {write}
>>for pid=8390 exe=/usr/sbin/httpd
>>path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791
>>scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
>
>Hmmm.  Hard to say what this is.  You could try:
>
> chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
>
>>path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard
>>/mod_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t
>>tcontext=root:object_r:usr_t tclass=file
>
>My suggestion:
>
> chcon -h -t shlib_t
>/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
 
I used setenforce 0 just to check if asp actually installed correctly.  I
know that I can off selinux just for httpd, but as I said turn off selinux
(or any part there of) is not an option at this time.

I did the two commands that you suggested and now I get the following
messages so progress is being made:

Mar  2 16:49:18 cisit6 kernel: audit(1109803758.925:0): avc:  denied  {
execute } for  pid=5438
path=/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so dev=dm-0
ino=551452 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Mar  2 16:49:18 cisit6 httpd: mod_casp2: failed to open
/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so, aborting.
Mar  2 16:49:18 cisit6 httpd: mod_casp2:
/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so: failed to map
segment from shared object: Permission denied
Mar  2 16:49:18 cisit6 httpd: httpd startup failed

So I did a 
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so

which got me to 
Starting httpd: casp2ap: error loading Sun Java System Active Server Pages
dispatcher library -
/opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
casp2ap: /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so: failed to
map segment from shared object: Permission denied

so then I did 
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so

and now it appears to be working fine.  The simple tests have passed with
flying colors.  I have to test the database parts next.

So in short to get asp for linux working you have to do the following:

chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
chcon -h -t shlib_t
/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so

Can this be added to the targeted policy in the future?

Thanks for all of your help,

Jason Dravet

More information about the fedora-selinux-list mailing list