listuser HH wrote:
Micha Silver wrote:
I've setup mapserver-4.8.3 on a CentOS-4.3 server. With SELinux
enabled I can't get mapserv in /var/www/cgi-bin to work. It can't
find libpq.so. Running ldd on the mapserv binary in the original
compile location returns OK:
[EMAIL PROTECTED] ~]# ldd /home/micha/download/mapserver-4.8.3/mapserv |
grep libpq
libpq.so.4 => /var/lib/pgsql/lib/libpq.so.4 (0x0072d000)
But running ldd on the *same* binary copied to /var/www/cgi-bin:
[EMAIL PROTECTED] ~]# cp /home/micha/download/mapserver-4.8.3/mapserv
/var/www/cgi-bin/
[EMAIL PROTECTED] ~]# ldd /var/www/cgi-bin/mapserv | grep libpq
libpq.so.4 => not found
libpq.so.4 => not found
The copy has selinux context:
[EMAIL PROTECTED] ~]# ls -Z /var/www/cgi-bin/mapserv
-rwxr-xr-x root root root:object_r:httpd_sys_script_exec_t
/var/www/cgi-bin/mapserv
and indeed in the messages log there are "audit:...avc: denied"
errors for mapserv:
May 30 14:11:11 maps kernel: audit(1148987471.254:2): avc: denied {
read write } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:initrc_devpts_t tclass=chr_file
May 30 14:11:11 maps kernel: audit(1148987471.254:3): avc: denied {
use } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fd
May 30 14:11:11 maps kernel: audit(1148987471.254:4): avc: denied {
use } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fd
May 30 14:11:11 maps kernel: audit(1148987471.255:5): avc: denied {
read } for pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2
ino=1423567 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:var_lib_t tclass=lnk_file
May 30 14:11:11 maps kernel: audit(1148987471.331:6): avc: denied {
read } for pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2
ino=1423567 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:var_lib_t tclass=lnk_file
If I drop the seliux level to "permissive" (logs error but doesn't
deny) then mapserv works as expected.
Can anyone suggest how to set this up, short of disabling selinux??
Thanks, Micha
Hi,
I think you could use something like:
chcon -c -v -R -u system_u -r object_r -t lib_t [path/to/lib/folder]
I'm not familiar with SELinux so check the args in the man for chcon.
Regards
Norbert
Norbert:
Here's what I did.
chcon -t lib_t /var/lib/pgsql/lib
chcon -t lib_t /var/lib/pgsql/libpq.so.4.1 # The real library
rm -f /var/lib/pgsql/lib/libpq.so.4
# delete the original soft link...
# ... and recreate it to correct selinux context for the link
ln -s /var/lib/pgsql/lib/libpq.so.4.1 /var/lib/pgsql/lib/libpqso.4
Now it seems to be working. Thanks,
Micha
