12:53 p.m.
Or, more precisely, we have a std. directory, which is bind mounted, and
which was set with semanage fcontext -a -e /var/www /actual/path/htdocs,
and a file in <directory>/htdocs/<site>/cgi-bin/sub>/<sub?file
-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0
is the file's info. From the names, I'm guessing some .cgi is writing a
count to it.
What *should* it be?
mark
12:57 p.m.
New subject: Trying again: why am I getting denials in a directory that has been labeled...
Not sure if you realize, but you didn't actually include any information
about the denial you are receiving. It's kind of tough to guess at what
it might be.
- J<
1:21 p.m.
New subject: Trying again: why am I getting denials in a directory that has
been labeled...
Jason L Tibbitts III wrote:
Not sure if you realize, but you didn't actually include any
information
about the denial you are receiving. It's kind of tough to guess at what
it might be.
SELinux is preventing Count.cgi from write access on the file...
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context
unconfined_u:object_r:httpd_sys_script_exec_t:s0
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Raw Audit Messages
type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
mark
5:13 a.m.
New subject: Trying again: why am I getting denials in a directory that has
been labeled...
On Thu, 14 Jun 2018 14:21:26 -0400
m.roth(a)5-cent.us wrote:
Jason L Tibbitts III wrote:
> Not sure if you realize, but you didn't actually include any
> information about the denial you are receiving. It's kind of tough
> to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file...
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context
unconfined_u:object_r:httpd_sys_script_exec_t:s0
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Raw Audit Messages
type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
The file you want to write to should probably be
httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.
Paul.
4:27 a.m.
New subject: Trying again: why am I getting denials in a directory that has
been labeled...
On 06/15/2018 12:13 PM, Paul Howarth wrote:
On Thu, 14 Jun 2018 14:21:26 -0400
m.roth(a)5-cent.us wrote:
> Jason L Tibbitts III wrote:
>> Not sure if you realize, but you didn't actually include any
>> information about the denial you are receiving. It's kind of tough
>> to guess at what it might be.
>
> SELinux is preventing Count.cgi from write access on the file...
> Source Context system_u:system_r:httpd_sys_script_t:s0
> Target Context
> unconfined_u:object_r:httpd_sys_script_exec_t:s0
> Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
> Raw Audit Messages
> type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for
> pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
>
> Better?
The file you want to write to should probably be
httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.
Agree with Paul, however should be file you want to write be executed as
cgi-bin script?
Lukas.
Paul.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
2138
days inactive
2141
days old
selinux@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
Jason L Tibbitts III -
Lukas Vrabec -
m.roth@5-cent.us -
Paul Howarth