suexec with fcgid-script in userdir site
Paul Howarth
paul at city-fan.org
Fri Dec 12 07:38:49 UTC 2008
On Fri, 12 Dec 2008 16:34:51 +1000
Alexander Slesarev <alex.slesarev at gmail.com> wrote:
> Hello!
>
> I have a site in my userdir working via fcgid-script. But this script
> is not working - SELinux prevents it.
>
> SELinux is preventing suexec (httpd_suexec_t) "getattr" to
> /home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi
> (httpd_unconfined_script_exec_t).
>
> AVC raw messages:
>
> host=elc6002.eellc.ru type=AVC msg=audit(1227234886.189:172): avc:
> denied { getattr } for pid=9514 comm="suexec"
> path="/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi"
> dev=dm-2 ino=361072 scontext=unconfined_u:system_r:httpd_suexec_t:s0
> tcontext=unconfined_u:object_r:httpd_unconfined_script_exec_t:s0
> tclass=file host=elc6002.eellc.ru type=SYSCALL
> msg=audit(1227234886.189:172): arch=40000003 syscall=196 success=no
> exit=-13 a0=bff4efe1 a1=bff4c8a4 a2=2acff4 a3=bff4efe1 items=0
> ppid=9328 pid=9514 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
> exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0
> key=(null)
>
> What can I do? I tried different scenarios but nothing helps.
>
> By the way - there is httpd_suexec_disable_trans boolean? I can't set
> it up.
>
> I'm using Fedora 10 with all latest updates. Thanks in advance.
There have been no disable_trans booleans for a long time as they can
result in labelling problems when used. However, in Fedora 10 you can
make httpd_suexec_t a permissive domain without putting the whole
system in permissive mode:
semanage permissive -a httpd_suexec_t
Paul.
More information about the fedora-selinux-list
mailing list