[CentOS] selinux prohibiting sssd usage
Adam Wead
amsterdamos at gmail.com
Wed Aug 10 17:27:18 UTC 2011
I can't think of any booleans off-hand, but you might try moving the
location of the gitweb.cgi to a folder where SELinux expects cgi executables
to be, such as /var/www. Then if you relabel, it might put it in the
correct security context to fix the error. This is how I solve about 90% of
my SELinux problems... just moving the files to the right location.
____________________________________________
Adam Wead
Systems and Digital Collections Librarian
Rock and Roll Hall of Fame and Museum
216.515.1960 (t)
215.515.1964 (f)
On Wed, Aug 10, 2011 at 12:32 PM, Paul Heinlein <heinlein at madboa.com> wrote:
> I've got a CentOS 6 machine that's slated to go into production
> providing some web and development-repository services.
>
> Part of the environment is gitweb, which works as expected with one
> glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who
> owns the repositories.
>
> The audit log entries are pretty straightforward, e.g.,
>
> type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for
> pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX
> scontext=unconfined_u:system_r:httpd_git_script_t:s0
> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
>
> I'll use audit2allow to build a custom policy if need be, but what I'd
> really like to hear is that there's an SELinux boolean that can be
> tweaked or a file context that can be altered to make things work as
> expected.
>
> --
> Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110810/107e446b/attachment.html>
More information about the CentOS
mailing list