Hi,<br><br>I have read:<br><br><a href="http://lists.centos.org/pipermail/centos/2005-March/003429.html">http://lists.centos.org/pipermail/centos/2005-March/003429.html</a>, <a href="http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html">
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html</a><br>RedHat Selinux Documentation (PDF) (some parts)<br><br>and they helped me solve a some difficulties, including the necessity to mount /var/www with -o suid.
<br><br>Now I'm getting these 2 errors in /var/log/messages whenever I execute a cgi:<br><br>%--------------------------<br>avc: denied { create } for pid=17995 comm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket
<br><br>avc: denied { read } for pid=17995 comm="suexec" name="cert.pem" dev=dm-0 ino=520402 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file<br clear="all">%--------------------------
<br><br>This is independent of the script being perl or sh, and despite the errors the cgi executes correctly.<br><br>'sestatus' reports:<br><br>httpd_builtin_scripting active<br>httpd_disable_trans inactive<br>httpd_enable_cgi active
<br>httpd_enable_homedirs inactive<br>httpd_ssi_exec inactive<br>httpd_tty_comm inactive<br>httpd_unified inactive<br><br>Either httpd_ssi_exec or httpd_unified have made no difference in those errors.
<br><br>When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs, those errors stop appearing.<br><br>So I think this problem has to do directly with selinux policy and mod_suexec.<br><br>Could this be a bug on selinux-policy-targeted, that doesn't bring 100% support for the "native" mod_suexec?
<br><br>-- <br>Vilela