cricket grapher.cgi

Daniel J Walsh dwalsh at redhat.com
Wed Jan 10 21:45:23 UTC 2007 

Chuck Anderson wrote:
> I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux 
> targeted enforcing.  I get the following AVC when trying to view the 
> grapher.cgi from my web browser:
>
> type=AVC msg=audit(1168459205.932:49631): avc:  denied  { read } for  
> pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 
> syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 
> a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) 
> comm="grapher.cgi" exe="/usr/bin/perl" 
> subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
>
>   



> The ino number in the AVC is /var/cricket/cricket.
>
> The application is installed in /var/cricket (from the legacy install) 
> but if necessary I can move bits and pieces around to accomodate 
> SELinux standards.  I relabeled the entire /var/cricket tree to 
> httpd_script_exec_t.
httpd_sys_script_exec_t is the context for a cgi script.
You should label it httpd_sys_content_t  and I think it will work better.
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/
> lrwxrwxrwx  root    root    user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/
> drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/
>
> Here is my relavent Apache config:
>
> AddHandler cgi-script .cgi
>
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> 	ServerAdmin root at localhost
> 	DocumentRoot /var/cricket/public_html
> 	ServerName server.host.name
> 	ErrorLog /var/log/httpd/cricket/error_log
> 	CustomLog /var/log/httpd/cricket/access_log common
> </VirtualHost>
>
> <Directory "/var/cricket/public_html">
>     AllowOverride Options FileInfo AuthConfig Limit
>     Order allow,deny
>     Allow from all
> </Directory>
>
> Has anyone had success running cricket with SELinux?
>
> Thanks.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list