Permission denied to cgi-script when enforcing selinux on RHEL6

Dominick Grift dominick.grift at gmail.com
Tue Apr 10 15:00:53 UTC 2012


On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote:
> >>>>> "DG" == Dominick Grift <dominick.grift at gmail.com> writes:
> 
> DG> You should really see AVC denials when you build the policy.db with
> DG> the dontaudit rules removed (semodule -DB)
> DG> Maybe you've overlooked them?
> 
> I know the original question was about EL6 but I had some issues with
> CGI-type stuff outside of a specific cgi-bin directory recently on F16,
> and I was quite surprised that completely relevant AVCs were hidden
> behind dontaudit rules.  In fact, I had no AVCs at all for that
> situation; stuff just failed to work without any indication of why.
> semodule -DB made it completely obvious, once you picked out the AVCs
> that caused the problem from whatever random other stuff was expected to
> happen.
> 
> Is there any reasonable explanation for why these AVCs are not shown by
> default?

There should be but i cant think of any.

I have encountered similar issues with daemons trying to traverse $USER
being dontaudited; i dont like it either.

>  - J<




More information about the selinux mailing list