mapserver and selinux
Micha Silver
micha at ARAVA.CO.IL
Thu Jun 1 03:20:53 PDT 2006
listuser HH wrote:
> Micha Silver wrote:
>
>> I've setup mapserver-4.8.3 on a CentOS-4.3 server. With SELinux
>> enabled I can't get mapserv in /var/www/cgi-bin to work. It can't
>> find libpq.so. Running ldd on the mapserv binary in the original
>> compile location returns OK:
>>
>> [root at maps ~]# ldd /home/micha/download/mapserver-4.8.3/mapserv |
>> grep libpq
>> libpq.so.4 => /var/lib/pgsql/lib/libpq.so.4 (0x0072d000)
>>
>> But running ldd on the *same* binary copied to /var/www/cgi-bin:
>> [root at maps ~]# cp /home/micha/download/mapserver-4.8.3/mapserv
>> /var/www/cgi-bin/
>> [root at maps ~]# ldd /var/www/cgi-bin/mapserv | grep libpq
>> libpq.so.4 => not found
>> libpq.so.4 => not found
>>
>> The copy has selinux context:
>> [root at maps ~]# ls -Z /var/www/cgi-bin/mapserv
>> -rwxr-xr-x root root root:object_r:httpd_sys_script_exec_t
>> /var/www/cgi-bin/mapserv
>>
>> and indeed in the messages log there are "audit:...avc: denied"
>> errors for mapserv:
>> May 30 14:11:11 maps kernel: audit(1148987471.254:2): avc: denied {
>> read write } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
>> scontext=root:system_r:httpd_sys_script_t
>> tcontext=root:object_r:initrc_devpts_t tclass=chr_file
>> May 30 14:11:11 maps kernel: audit(1148987471.254:3): avc: denied {
>> use } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
>> scontext=root:system_r:httpd_sys_script_t
>> tcontext=user_u:system_r:initrc_t tclass=fd
>> May 30 14:11:11 maps kernel: audit(1148987471.254:4): avc: denied {
>> use } for pid=2662 comm="mapserv" name="0" dev=devpts ino=2
>> scontext=root:system_r:httpd_sys_script_t
>> tcontext=user_u:system_r:initrc_t tclass=fd
>> May 30 14:11:11 maps kernel: audit(1148987471.255:5): avc: denied {
>> read } for pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2
>> ino=1423567 scontext=root:system_r:httpd_sys_script_t
>> tcontext=root:object_r:var_lib_t tclass=lnk_file
>> May 30 14:11:11 maps kernel: audit(1148987471.331:6): avc: denied {
>> read } for pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2
>> ino=1423567 scontext=root:system_r:httpd_sys_script_t
>> tcontext=root:object_r:var_lib_t tclass=lnk_file
>>
>> If I drop the seliux level to "permissive" (logs error but doesn't
>> deny) then mapserv works as expected.
>>
>> Can anyone suggest how to set this up, short of disabling selinux??
>>
>> Thanks, Micha
>>
>>
> Hi,
>
> I think you could use something like:
> chcon -c -v -R -u system_u -r object_r -t lib_t [path/to/lib/folder]
>
> I'm not familiar with SELinux so check the args in the man for chcon.
>
> Regards
>
> Norbert
>
Norbert:
Here's what I did.
chcon -t lib_t /var/lib/pgsql/lib
chcon -t lib_t /var/lib/pgsql/libpq.so.4.1 # The real library
rm -f /var/lib/pgsql/lib/libpq.so.4
# delete the original soft link...
# ... and recreate it to correct selinux context for the link
ln -s /var/lib/pgsql/lib/libpq.so.4.1 /var/lib/pgsql/lib/libpqso.4
Now it seems to be working. Thanks,
Micha
More information about the MapServer-users
mailing list