selinux and ASP for Linux

Jason Dravet dravet at
Wed Mar 2 23:20:00 UTC 2005

>On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote:
>>I have installed Sun's new asp for Linux (4.02) product on my Linux
>>What the software does is provide asp support to httpd on Linux platforms.
>>The Sun installer adds a module to the system so httpd can handle asp
>>requests.  When I try to start httpd I get the following messages.  If I
>>setenforce 0 and start httpd, asp works great so the problem is with the
>>asp and selinux interact.  I have to run with selinux enabled so disabling
>>it is not a solution.  What do I have to do to get this to work?  I have
>>contacted Sun but they don't know anything about selinux.
>First, note that you can disable SELinux enforcement just for httpd
>without doing setenforce 0; see:
>>Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied {write}
>>for pid=8390 exe=/usr/sbin/httpd
>>path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791
>>scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
>Hmmm.  Hard to say what this is.  You could try:
> chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
>>/ dev=dm-0 ino=633455 scontext=root:system_r:httpd_t
>>tcontext=root:object_r:usr_t tclass=file
>My suggestion:
> chcon -h -t shlib_t
I used setenforce 0 just to check if asp actually installed correctly.  I
know that I can off selinux just for httpd, but as I said turn off selinux
(or any part there of) is not an option at this time.

I did the two commands that you suggested and now I get the following
messages so progress is being made:

Mar  2 16:49:18 cisit6 kernel: audit(1109803758.925:0): avc:  denied  {
execute } for  pid=5438
path=/opt/casp/server/lib/linux2_i686_optimized/ dev=dm-0
ino=551452 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
Mar  2 16:49:18 cisit6 httpd: mod_casp2: failed to open
/opt/casp/server/lib/linux2_i686_optimized/, aborting.
Mar  2 16:49:18 cisit6 httpd: mod_casp2:
/opt/casp/server/lib/linux2_i686_optimized/ failed to map
segment from shared object: Permission denied
Mar  2 16:49:18 cisit6 httpd: httpd startup failed

So I did a 
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/

which got me to 
Starting httpd: casp2ap: error loading Sun Java System Active Server Pages
dispatcher library -
casp2ap: /opt/casp/server/lib/linux2_i686_optimized/ failed to
map segment from shared object: Permission denied

so then I did 
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/

and now it appears to be working fine.  The simple tests have passed with
flying colors.  I have to test the database parts next.

So in short to get asp for linux working you have to do the following:

chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
chcon -h -t shlib_t
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/

Can this be added to the targeted policy in the future?

Thanks for all of your help,

Jason Dravet

More information about the fedora-selinux-list mailing list