[CentOS] if you install cgi programs from rpm, how to configure for actual use in /var/www/html ?

Fri Jan 7 16:43:32 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

Hash: SHA1

On 01/06/2011 11:31 PM, Paul Johnson wrote:
> On Wed, Jan 5, 2011 at 11:46 AM, Les Mikesell <lesmikesell at gmail.com> wrote:
>> On 1/5/2011 10:42 AM, Paul Johnson wrote:
>> What is keeping it from working with the supplied:
>> Alias /phpMyAdmin /usr/share/phpMyAdmin
>> (i.e. to the install location)?
>> --
>>   Les Mikesell
>>    lesmikesell at gmail.com
> You mean to say it does work for you, as delivered? Or that it ought
> to work for me, but you are just guessing?
> In RedHat 6, at least, I cannot get ANY application to work if it does
> not offer files up from /var/www/html (no matter what the http config
> says).  I now *THINK* the reason is SELinux.  I understand http
> configuration, SELinux is a whole different problem.  I  understand
> the concept, but the tools to configure it are mysterious.  The system
> will not offer things from /usr/share or whatnot, even if I alter the
> httpd config to allow it. The mediawiki RPM comes along with an
> httpd.conf file that tries to allow it.  But the system won't allow
> it.  Today I realized will not allow symbolic links from /var/www/html
> pointing into "safe" parts of the file system.
> Yesterday I solved part of my mediawiki trouble.  mail from php/CGI
> programs was not going to the users.  I found out that SELinux was
> blocking mediawiki's attempted use of /usr/sbin/sendmail and learned
> how to fix that (see:
> http://www.mediawiki.org/wiki/Project:Support_desk#SOLVED:_RedHat_6_SELinux_blocks_MediaWiki_from_using_sendmail_1892).
> I have not been able to find anybody who is running Fedora or RedHat
> with SELinux turned on who was able to use mediawiki as it was
> delivered.  If it works for you, please raise your hand.
> For example:
> http://www.johnson.homelinux.net/mywiki/Installing%20and%20configuring%20MediaWiki%20for%20Fedora%2014
> http://www.linuxquestions.org/questions/linux-software-2/how-to-install-mediawiki-on-fedora-9-a-677135/
> http://dailypackage.fedorabook.com/index.php?/archives/120-Productive-Monday-MediaWiki-Collaborative-publishing.html
> It may just be that we are all following some mistaken example from
> somebody who did not understand this any better than we do.
> I had the same experience with phpMyAdmin.  Not in /var/www/html.  No Go.
> pj

SELinux expects apache content to be labeled as apache content.  The
default label for read only content in httpd_sys_content_t.  If you put
this in a random location or some packager does, they need to make sure
the content has the correct label.

man httpd_selinux

explains some of this.

# semanage fcontext -a -t httpd_sys_content_t "/myapp(/.*)?"

Tells SELinux the default label for all content under /myapp will be

Restorecon will then actually put the labels on your system.

# restorecon -R -v /myapp

Now you have permanently changed your SELinux labeling, and full relabel
will maintain this.  If you know of an application that puts content in
a different location, please tell us and we will setup the default
labeling for that directory, to be apache content.

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/