Permission denied to cgi-script when enforcing selinux on RHEL6

Jason L Tibbitts III tibbs at math.uh.edu
Tue Apr 10 14:55:17 UTC 2012


>>>>> "DG" == Dominick Grift <dominick.grift at gmail.com> writes:

DG> You should really see AVC denials when you build the policy.db with
DG> the dontaudit rules removed (semodule -DB)
DG> Maybe you've overlooked them?

I know the original question was about EL6 but I had some issues with
CGI-type stuff outside of a specific cgi-bin directory recently on F16,
and I was quite surprised that completely relevant AVCs were hidden
behind dontaudit rules.  In fact, I had no AVCs at all for that
situation; stuff just failed to work without any indication of why.
semodule -DB made it completely obvious, once you picked out the AVCs
that caused the problem from whatever random other stuff was expected to
happen.

Is there any reasonable explanation for why these AVCs are not shown by
default?

 - J<


More information about the selinux mailing list