awstats and selinux
Stuart Sears
stuart at sjsears.com
Fri Apr 28 21:39:43 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Lemmons wrote:
<lots of snipped stuff>
> Anyway, when I looked there I saw:
>
>
> ...kernel: audit(1146243585.213:27): avc: denied { execute } for
> pid=20973 comm="httpd" name="awstats.pl" dev=dm-0 ino=1082675
> scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:usr_t
so the selinux file context of the awstats perl script is wrong. OR at
least it is set to something (usr_t) that apache (running in the httpd_t
domain) is not permitted to execute.
> tclass=file
what happens if you do
chcon -t httpd_sys_script_exec_t /path/to/awstats.pl
system_u:object_r:httpd_sys_script_exec_t is the standard context for
cgi scripts. httpd_t is allowed to run these.
(you may need to do this for the other awstats scripts as well, if there
are a few)
>
>
> I turned off selinux with the "setenforce 0" command and it started
> working.
>
> Now, the problem here is that I really do not want to run my production
> server without selinux turned on and was not able to figure out how to
> correct the conflict. Anybody that could offer a pointer in the right
> direction will be my new best friend :)
HTH
Regards
Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEUoufamPtx1brPQ4RAjLAAJ9xX2iJQhPSngwwSJ0mF8UaPNdC1wCfYdue
c/QrHOLubzX1f5ppPTkL908=
=gK6a
-----END PGP SIGNATURE-----
More information about the users
mailing list