cricket grapher.cgi
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 10 21:45:23 UTC 2007
Chuck Anderson wrote:
> I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux
> targeted enforcing. I get the following AVC when trying to view the
> grapher.cgi from my web browser:
>
> type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for
> pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003
> syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4
> a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> comm="grapher.cgi" exe="/usr/bin/perl"
> subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
>
>
> The ino number in the AVC is /var/cricket/cricket.
>
> The application is installed in /var/cricket (from the legacy install)
> but if necessary I can move bits and pieces around to accomodate
> SELinux standards. I relabeled the entire /var/cricket tree to
> httpd_script_exec_t.
httpd_sys_script_exec_t is the context for a cgi script.
You should label it httpd_sys_content_t and I think it will work better.
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/
> lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/
> drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/
>
> Here is my relavent Apache config:
>
> AddHandler cgi-script .cgi
>
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> ServerAdmin root at localhost
> DocumentRoot /var/cricket/public_html
> ServerName server.host.name
> ErrorLog /var/log/httpd/cricket/error_log
> CustomLog /var/log/httpd/cricket/access_log common
> </VirtualHost>
>
> <Directory "/var/cricket/public_html">
> AllowOverride Options FileInfo AuthConfig Limit
> Order allow,deny
> Allow from all
> </Directory>
>
> Has anyone had success running cricket with SELinux?
>
> Thanks.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list