[CentOS] SELinux targeted + httpd + suexec

Leonardo Vilela Pinheiro leopinheiro at gmail.com
Fri Sep 8 20:56:37 UTC 2006


I have read:

RedHat Selinux Documentation (PDF)   (some parts)

and they helped me solve a some difficulties, including the necessity to
mount /var/www with -o suid.

Now I'm getting  these 2 errors in /var/log/messages whenever I execute a

avc:  denied  { create } for  pid=17995 comm="suexec"
scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t

avc:  denied  { read } for  pid=17995 comm="suexec" name="cert.pem" dev=dm-0
ino=520402 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

This is independent of the script being perl or sh, and despite the errors
the cgi executes correctly.

'sestatus' reports:

httpd_builtin_scripting active
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   inactive
httpd_ssi_exec          inactive
httpd_tty_comm          inactive
httpd_unified           inactive

Either httpd_ssi_exec or httpd_unified have made no difference in those

When I deactivate mod_suexec and comment SuexecUserGroup in Apache configs,
those errors stop appearing.

So I think this problem has to do directly with selinux policy and

Could this be a bug on selinux-policy-targeted, that doesn't bring 100%
support for the "native" mod_suexec?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060908/c6389b08/attachment.html>

More information about the CentOS mailing list