suexec with fcgid-script in userdir site
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 15 14:11:08 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> On Fri, 12 Dec 2008 16:34:51 +1000
> Alexander Slesarev <alex.slesarev at gmail.com> wrote:
>
>> Hello!
>>
>> I have a site in my userdir working via fcgid-script. But this script
>> is not working - SELinux prevents it.
>>
>> SELinux is preventing suexec (httpd_suexec_t) "getattr" to
>> /home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi
>> (httpd_unconfined_script_exec_t).
>>
>> AVC raw messages:
>>
>> host=elc6002.eellc.ru type=AVC msg=audit(1227234886.189:172): avc:
>> denied { getattr } for pid=9514 comm="suexec"
>> path="/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi"
>> dev=dm-2 ino=361072 scontext=unconfined_u:system_r:httpd_suexec_t:s0
>> tcontext=unconfined_u:object_r:httpd_unconfined_script_exec_t:s0
>> tclass=file host=elc6002.eellc.ru type=SYSCALL
>> msg=audit(1227234886.189:172): arch=40000003 syscall=196 success=no
>> exit=-13 a0=bff4efe1 a1=bff4c8a4 a2=2acff4 a3=bff4efe1 items=0
>> ppid=9328 pid=9514 auid=500 uid=500 gid=500 euid=500 suid=500
>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
>> exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0
>> key=(null)
>>
>> What can I do? I tried different scenarios but nothing helps.
>>
>> By the way - there is httpd_suexec_disable_trans boolean? I can't set
>> it up.
>>
>> I'm using Fedora 10 with all latest updates. Thanks in advance.
>
> There have been no disable_trans booleans for a long time as they can
> result in labelling problems when used. However, in Fedora 10 you can
> make httpd_suexec_t a permissive domain without putting the whole
> system in permissive mode:
>
> semanage permissive -a httpd_suexec_t
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Or simply add the permission to the system
# grep site.fcgi /var/log/audit/audit.log | audit2allow -M mycgi
# semodule -i mycgi.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklGZXwACgkQrlYvE4MpobOj2gCeJwYhcroBA+7zNrCriCRqvV1L
QjAAnA0GyA2KjFyFdhCta8QGYhGdF4CB
=u9Vm
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list