selinux and ASP for Linux
Jason Dravet
dravet at calumet.purdue.edu
Wed Mar 2 23:20:00 UTC 2005
>On Wed, 2005-03-02 at 15:45 -0600, Jason Dravet wrote:
>>I have installed Sun's new asp for Linux (4.02) product on my Linux
>>server.
>>What the software does is provide asp support to httpd on Linux platforms.
>>The Sun installer adds a module to the system so httpd can handle asp
>>requests. When I try to start httpd I get the following messages. If I
>>run
>>setenforce 0 and start httpd, asp works great so the problem is with the
>>way
>>asp and selinux interact. I have to run with selinux enabled so disabling
>>it is not a solution. What do I have to do to get this to work? I have
>>contacted Sun but they don't know anything about selinux.
>
>First, note that you can disable SELinux enforcement just for httpd
>without doing setenforce 0; see:
>http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c->securit
ylevel
>
>>Mar 1 19:45:28 cisit6 kernel: audit(1109727928.415:0): avc: denied {write}
>>for pid=8390 exe=/usr/sbin/httpd
>>path=/opt/casp/INSTALL/database/tmp/tmp.0.5541 dev=dm-0 ino=426791
>>scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
>
>Hmmm. Hard to say what this is. You could try:
>
> chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
>
>>path=/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard
>>/mod_casp2.so dev=dm-0 ino=633455 scontext=root:system_r:httpd_t
>>tcontext=root:object_r:usr_t tclass=file
>
>My suggestion:
>
> chcon -h -t shlib_t
>/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
I used setenforce 0 just to check if asp actually installed correctly. I
know that I can off selinux just for httpd, but as I said turn off selinux
(or any part there of) is not an option at this time.
I did the two commands that you suggested and now I get the following
messages so progress is being made:
Mar 2 16:49:18 cisit6 kernel: audit(1109803758.925:0): avc: denied {
execute } for pid=5438
path=/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so dev=dm-0
ino=551452 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Mar 2 16:49:18 cisit6 httpd: mod_casp2: failed to open
/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so, aborting.
Mar 2 16:49:18 cisit6 httpd: mod_casp2:
/opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so: failed to map
segment from shared object: Permission denied
Mar 2 16:49:18 cisit6 httpd: httpd startup failed
So I did a
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so
which got me to
Starting httpd: casp2ap: error loading Sun Java System Active Server Pages
dispatcher library -
/opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
casp2ap: /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so: failed to
map segment from shared object: Permission denied
so then I did
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
and now it appears to be working fine. The simple tests have passed with
flying colors. I have to test the database parts next.
So in short to get asp for linux working you have to do the following:
chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
chcon -h -t shlib_t
/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so
chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
Can this be added to the targeted policy in the future?
Thanks for all of your help,
Jason Dravet
More information about the fedora-selinux-list
mailing list