Hi,

I have read:

http://lists.centos.org/pipermail/centos/2005-March/003429.html, http://fedora.redhat.com/docs/selinux-apache-fc3/sn-using-other-types.html RedHat Selinux Documentation (PDF) (some parts)

and they helped me solve a some difficulties, including the necessity to mount /var/www with -o suid.

Now I'm getting these 2 errors in /var/log/messages whenever I execute a cgi:

%-------------------------- avc: denied { create } for pid=17995 comm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket

avc: denied { read } for pid=17995 comm="suexec" name="cert.pem" dev=dm-0 ino=520402 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file %--------------------------

This is independent of the script being perl or sh, and despite the errors the cgi executes correctly.

'sestatus' reports:

httpd_builtin_scripting active httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs inactive httpd_ssi_exec inactive httpd_tty_comm inactive httpd_unified inactive

Either httpd_ssi_exec or httpd_unified have made no difference in those errors.

When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs, those errors stop appearing.

So I think this problem has to do directly with selinux policy and mod_suexec.

Could this be a bug on selinux-policy-targeted, that doesn't bring 100% support for the "native" mod_suexec?