SELinux issues with httpd and mysql

Rodd Clarkson rodd at clarkson.id.au
Wed Feb 2 03:39:31 UTC 2005 

Sorry if this has been covered but I'm struggling to find anything
vaguely like useful.

I'm having two selinux related problems with regard to httpd.

I've got httpd running cgi (perl) scripts inside of suexec domains,
however I can't run perl scripts from the command line inside
of /var/www/html/folder even though they are owned by the user/group
trying to run them.

Each time I try to run the scripts I get the following
in /var/log/messages:

Feb  2 14:36:49 localhost kernel: audit(1107315409.932:0): avc:  denied
{ read write } for  pid=6432 exe=/usr/bin/perl name=2 dev=devpts ino=4
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:object_r:devpts_t tclass=chr_file
Feb  2 14:36:49 localhost kernel: audit(1107315409.932:0): avc:  denied
{ read write } for  pid=6432 exe=/usr/bin/perl path=/dev/pts/2
dev=devpts ino=4 scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:object_r:devpts_t tclass=chr_file
Feb  2 14:36:49 localhost last message repeated 2 times
Feb  2 14:36:49 localhost kernel: audit(1107315409.936:0): avc:  denied
{ getattr } for  pid=6432 exe=/usr/bin/perl path=/home/rodd/bin dev=hda2
ino=1596769 scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:object_r:user_home_t tclass=dir
Feb  2 14:36:50 localhost kernel: audit(1107315410.142:0): avc:  denied
{ write } for  pid=6432 exe=/usr/bin/perl name=mysql.sock dev=hda6
ino=566526 scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:object_r:var_lib_t tclass=sock_file


Also, and this is probably more critical, my cgi scripts are unable to
access MySQL.  Again, there's a selinux related message inside
of /var/log/messages

Feb  2 14:38:34 localhost kernel: audit(1107315514.239:0): avc:  denied
{ read } for  pid=6449 exe=/usr/bin/perl name=tmp dev=hda6 ino=629126
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
Feb  2 14:38:34 localhost kernel: audit(1107315514.767:0): avc:  denied
{ write } for  pid=6449 exe=/usr/bin/perl name=mysql.sock dev=hda6
ino=566526 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:var_lib_t tclass=sock_file
Feb  2 14:38:35 localhost kernel: audit(1107315515.380:0): avc:  denied
{ read } for  pid=6450 exe=/usr/bin/perl name=tmp dev=hda6 ino=629126
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
Feb  2 14:38:35 localhost kernel: audit(1107315515.877:0): avc:  denied
{ write } for  pid=6450 exe=/usr/bin/perl name=mysql.sock dev=hda6
ino=566526 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:var_lib_t tclass=sock_file

Given that this is one of the oft used reasons for cgi scripts (getting
stuff from MySQL) I'm a little surprised that this doesn't work out of
the box.

Hope someone can help.


Rodd

-- 
>From the pain come the dream
>From the dream come the vision
>From the vision come the people
>From the people come the power
>From this power come the change

                         - Peter Gabriel

More information about the fedora-test-list mailing list