I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux targeted enforcing. I get the following AVC when trying to view the grapher.cgi from my web browser:
type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="grapher.cgi" exe="/usr/bin/perl" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
The ino number in the AVC is /var/cricket/cricket.
The application is installed in /var/cricket (from the legacy install) but if necessary I can move bits and pieces around to accomodate SELinux standards. I relabeled the entire /var/cricket tree to httpd_script_exec_t.
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/ lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/
Here is my relavent Apache config:
AddHandler cgi-script .cgi
NameVirtualHost *:80
<VirtualHost *:80> ServerAdmin root@localhost DocumentRoot /var/cricket/public_html ServerName server.host.name ErrorLog /var/log/httpd/cricket/error_log CustomLog /var/log/httpd/cricket/access_log common </VirtualHost>
<Directory "/var/cricket/public_html"> AllowOverride Options FileInfo AuthConfig Limit Order allow,deny Allow from all </Directory>
Has anyone had success running cricket with SELinux?
Thanks.
Chuck Anderson wrote:
I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux targeted enforcing. I get the following AVC when trying to view the grapher.cgi from my web browser:
type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="grapher.cgi" exe="/usr/bin/perl" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)
The ino number in the AVC is /var/cricket/cricket.
The application is installed in /var/cricket (from the legacy install) but if necessary I can move bits and pieces around to accomodate SELinux standards. I relabeled the entire /var/cricket tree to httpd_script_exec_t.
httpd_sys_script_exec_t is the context for a cgi script. You should label it httpd_sys_content_t and I think it will work better.
drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/ lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/
Here is my relavent Apache config:
AddHandler cgi-script .cgi
NameVirtualHost *:80
<VirtualHost *:80> ServerAdmin root@localhost DocumentRoot /var/cricket/public_html ServerName server.host.name ErrorLog /var/log/httpd/cricket/error_log CustomLog /var/log/httpd/cricket/access_log common
</VirtualHost>
<Directory "/var/cricket/public_html"> AllowOverride Options FileInfo AuthConfig Limit Order allow,deny Allow from all
</Directory>
Has anyone had success running cricket with SELinux?
Thanks.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, Jan 10, 2007 at 04:45:23PM -0500, Daniel J Walsh wrote:
The application is installed in /var/cricket (from the legacy install) but if necessary I can move bits and pieces around to accomodate SELinux standards. I relabeled the entire /var/cricket tree to httpd_script_exec_t.
httpd_sys_script_exec_t is the context for a cgi script. You should label it httpd_sys_content_t and I think it will work better.
Thanks. This works, but I had trouble labeling the symlinks. I ended up deleting and recreating the symlinks and they acquired the correct context from the parent directory.
Is there an easy way to label a symlink with chcon?
Chuck Anderson wrote:
On Wed, Jan 10, 2007 at 04:45:23PM -0500, Daniel J Walsh wrote:
The application is installed in /var/cricket (from the legacy install) but if necessary I can move bits and pieces around to accomodate SELinux standards. I relabeled the entire /var/cricket tree to httpd_script_exec_t.
httpd_sys_script_exec_t is the context for a cgi script. You should label it httpd_sys_content_t and I think it will work better.
Thanks. This works, but I had trouble labeling the symlinks. I ended up deleting and recreating the symlinks and they acquired the correct context from the parent directory.
Is there an easy way to label a symlink with chcon?
"man chcon" and see the "-h" option.
Paul.
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Daniel J Walsh -
Paul Howarth