cricket grapher.cgi

Chuck Anderson cra at WPI.EDU
Wed Jan 10 20:11:06 UTC 2007 

I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux 
targeted enforcing.  I get the following AVC when trying to view the 
grapher.cgi from my web browser:

type=AVC msg=audit(1168459205.932:49631): avc:  denied  { read } for  
pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 
scontext=user_u:system_r:httpd_sys_script_t:s0 
tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 
syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 
a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) 
comm="grapher.cgi" exe="/usr/bin/perl" 
subj=user_u:system_r:httpd_sys_script_t:s0 key=(null)

The ino number in the AVC is /var/cricket/cricket.

The application is installed in /var/cricket (from the legacy install) 
but if necessary I can move bits and pieces around to accomodate 
SELinux standards.  I relabeled the entire /var/cricket tree to 
httpd_script_exec_t.

drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/
lrwxrwxrwx  root    root    user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/
drwxr-xr-x  cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/

Here is my relavent Apache config:

AddHandler cgi-script .cgi

NameVirtualHost *:80

<VirtualHost *:80>
	ServerAdmin root at localhost
	DocumentRoot /var/cricket/public_html
	ServerName server.host.name
	ErrorLog /var/log/httpd/cricket/error_log
	CustomLog /var/log/httpd/cricket/access_log common
</VirtualHost>

<Directory "/var/cricket/public_html">
    AllowOverride Options FileInfo AuthConfig Limit
    Order allow,deny
    Allow from all
</Directory>

Has anyone had success running cricket with SELinux?

Thanks.

More information about the fedora-selinux-list mailing list