mapserver cgi+fedora4+SELinux

tim tibben at OCF.BERKELEY.EDU
Fri Aug 19 10:22:05 EDT 2005 

Hi Eduin

The errors that you are getting look similar to the errors we had with 
SELinux . . .

We did get mapServer to work in Core 4 with SELinux. In the end we had to 
download the sources for the policies and make a special policy for the 
mapServer environment.

-> Download SELinux policy sources
-> in path /etc/selinux/targeted/src/policy/domains/misc
      create a file called local.te that looks like the following:

allow httpd_sys_script_t lib_t:file execmod;
allow httpd_sys_script_t var_t:dir getattr;
allow httpd_sys_script_t httpd_exec_t:lnk_file read;
allow httpd_sys_script_t default_t:dir { getattr read search };
allow httpd_sys_script_t httpd_var_lib_t:dir search;

-> compile this policy (see the SELinux docs) - I can't remember the exact 
command - the sysadmin where I work figured this out and showed me briefly, 
but it didn't stick

-> set php_mapscript.so to: system_u:object_r:httpd_sys_script_exec_t
-> just in case set the my_sql.so files to: system_u:object_r:texrel_shlib_t
-> set all php scripts and map data files to: 
system_u:object_r:httpd_sys_content_t
-> NOTE: all of my html is also: system_u:object_r:httpd_sys_content_t

-> in /usr/local/lib all .so files are (not the links with .so in the 
name): system_u:object_r:shlib_t
     and all other files are: system_u:object_r:lib_t  (this is for gdal, 
proj, gd, xerces, etc.)

 From what I recall this is all . . . I am sure there are other ways to do 
this as well, this is just the solution that we found in a short amount of 
time without futzing over it too much.

As a security measure I also moved all the php scripts to a private 
directory that is outside of the doc root for the web server. All of the 
scripts are then 'included' through a small parsing script in the doc root.

hope this helps
tim
Peru


At 09:20 PM 8/18/2005, Eduin Carrillo wrote:
>I just update my OS to Fedora4. I had never hear about SELinux, but last two
>day I were enforced to learn more about security policies and now I like
>SELinux (my site were hacked 3 times in the last six months).
>
>I get php_mapscrit runs with the system rpm's and other rpms I found on 
>the net
>(mappinghacks) except GDAL, and successfully compiled mapserver 4.6.0 in that
>environment, but mapserv executable returns a 500 Internal Server Error.
>Apache log reports:
>/var/www/cgi-bin/mapserv: error while loading shared libraries:
>/usr/local/lib/libgdal.so.1: cannot restore segment prot after reloc:
>Permission denied
>
>SELinux policies I applied:
>chcon -t texrel_shlib_t /usr/local/lib/*.so --> for gdal shared libraries
>chcon -t httpd_unconfined_script_t /var/www/cgi-bin/mapserv -->for mapserv
>binary
>
>I were getting the same error runing mapserver apps (legend, etc..) from the
>command line, but policy applied for gdal, solved that.
>
>Previuosly tim ask about php/mapscript and SELinux, so these are my steps to
>get php/mapscript running in FC4:
>----------------------------------
>cd /usr/local/src
>wget http://cvs.gis.umn.edu/dist/mapserver-4.6.0.tar.gz
>tar xvzf mapserver-4.6.0.tar.gz
>cd mapserver-4.6.0
>./configure --with-curl-config=/usr/bin/curl-config
>--with-php=/usr/src/redhat/SOURCES/php-5.0.4 --with-httpd=/usr/sbin/httpd
>--with-postgis=/usr/bin/pg_config --with-geos=/usr/bin/geos-config
>--with-mygis=/usr/bin/mysql_config --with-proj=/usr
>--with-ogr=/usr/local/bin/gdal-config --with-gdal=/usr/local/bin/gdal-config
>--with-eppl --with-wfs --with-wcs --with-wmsclient --with-wfsclient
>--with-gd=/usr
>make
>cp -f mapserv /var/www/cgi-bin/mapserv
>cp -f legend /usr/local/bin/legend
>cp -f scalebar /usr/local/bin/scalebar
>cp -f shp2img /usr/local/bin/shp2img
>cp -f shp2pdf /usr/local/bin/shp2pdf
>cp -f shptree /usr/local/bin/shptree
>cp -f shptreetst /usr/local/bin/shptreetst
>cp -f shptreevis /usr/local/bin/shptreevis
>cp -f sortshp /usr/local/bin/sortshp
>cp -f tile4ms /usr/local/bin/tile4ms
>cp -f mapscript/php3/php_mapscript.so /usr/lib/php/modules/php_mapscript.so
>
>#SELinux policy for php/mapscript
>chcon -t texrel_shlib_t /usr/lib/php/modules/php_mapscript.so
>
>#to load as php module
>echo "extension=php_mapscript.so" > /etc/php.d/mapscript.ini
>
>service httpd restart
>-------------------------
>
>Any hint?
>
>Thanks in advanced.
>
>
>Eduin Yesid Carrillo Vega
>yecarrillo at yahoo.com
>COLOMBIA
>
>__________________________________________________
>Correo Yahoo!
>Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
>Regístrate ya - http://correo.espanol.yahoo.com/

More information about the mapserver-users mailing list