[CentOS] SELinux targeted + httpd + suexec

Fri Sep 8 20:56:37 UTC 2006
Leonardo Vilela Pinheiro <leopinheiro at gmail.com>

Hi,

I have read:

http://lists.centos.org/pipermail/centos/2005-March/003429.html,
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html
RedHat Selinux Documentation (PDF)   (some parts)

and they helped me solve a some difficulties, including the necessity to
mount /var/www with -o suid.

Now I'm getting  these 2 errors in /var/log/messages whenever I execute a
cgi:

%--------------------------
avc:  denied  { create } for  pid=17995 comm="suexec"
scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t
tclass=netlink_route_socket

avc:  denied  { read } for  pid=17995 comm="suexec" name="cert.pem" dev=dm-0
ino=520402 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:usr_t tclass=lnk_file
%--------------------------

This is independent of the script being perl or sh, and despite the errors
the cgi executes correctly.

'sestatus' reports:

httpd_builtin_scripting active
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   inactive
httpd_ssi_exec          inactive
httpd_tty_comm          inactive
httpd_unified           inactive

Either httpd_ssi_exec or httpd_unified have made no difference in those
errors.

When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs,
those errors stop appearing.

So I think this problem has to do directly with selinux policy and
mod_suexec.

Could this be a bug on selinux-policy-targeted, that doesn't bring 100%
support for the "native" mod_suexec?

-- 
Vilela
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060908/c6389b08/attachment-0004.html>