Writing to /var/log from CGIs with SElinux enabled
- From: Luis Fernando Muñoz Mejías <lfmunozmejias@xxxxxxxxx>
- Date: Fri, 13 Jul 2007 03:10:27 -0700
Hello, world
I have an HTTP server on RHEL4. I have a few CGIs that write logs on /
var/log, as expected. Without SELinux, they work OK. But, with
SElinux, these scripts fail because they can't open their logs. I have
modified their contexts:
$ ls -Z /var/log/swrep-soap-server.log
-rw-r--r-- apache apache system_u:object_r:httpd_sys_script_rw_t /
var/log/swrep-soap-server.log
but this is useless because my CGI cannot open /var/log, which is
var_log_t:
$ dmesg|grep audit |tail -n1
audit(1184265870.104:27): avc: denied { search } for pid=3888
comm="swrep-soap-serv"name="log" dev=hda1 ino=819222
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir
so, I can't reach the logs. I suppose I shouldn't chcon /var/log, as
this would affect the rest of the system, right? I need to write
exactly 2 files on /var/log, how can I modify the policy to reach
them?
Thanks in advance.
.
- Prev by Date: Re: php mysql support RHEL 5
- Next by Date: yum install kernel-xenU fails
- Previous by thread: qmail with php
- Next by thread: yum install kernel-xenU fails
- Index(es):
Relevant Pages
|
|
