mapserver and selinux

Micha Silver micha at ARAVA.CO.IL
Thu Jun 1 03:20:53 PDT 2006 

listuser HH wrote:

> Micha Silver wrote:
>
>> I've setup mapserver-4.8.3 on a CentOS-4.3 server. With SELinux 
>> enabled I can't get mapserv in /var/www/cgi-bin to work. It can't 
>> find libpq.so. Running ldd on the mapserv binary in the original 
>> compile location returns OK:
>>
>> [root at maps ~]# ldd /home/micha/download/mapserver-4.8.3/mapserv | 
>> grep libpq
>>        libpq.so.4 => /var/lib/pgsql/lib/libpq.so.4 (0x0072d000)
>>
>> But running ldd on the *same* binary copied to /var/www/cgi-bin:
>> [root at maps ~]# cp /home/micha/download/mapserver-4.8.3/mapserv 
>> /var/www/cgi-bin/
>> [root at maps ~]# ldd /var/www/cgi-bin/mapserv | grep libpq
>>        libpq.so.4 => not found
>>        libpq.so.4 => not found
>>
>> The copy has selinux context:
>> [root at maps ~]# ls -Z /var/www/cgi-bin/mapserv
>> -rwxr-xr-x  root     root     root:object_r:httpd_sys_script_exec_t 
>> /var/www/cgi-bin/mapserv
>>
>> and indeed in the messages log there are "audit:...avc: denied" 
>> errors for mapserv:
>> May 30 14:11:11 maps kernel: audit(1148987471.254:2): avc:  denied  { 
>> read write } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
>> scontext=root:system_r:httpd_sys_script_t 
>> tcontext=root:object_r:initrc_devpts_t tclass=chr_file
>> May 30 14:11:11 maps kernel: audit(1148987471.254:3): avc:  denied  { 
>> use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
>> scontext=root:system_r:httpd_sys_script_t 
>> tcontext=user_u:system_r:initrc_t tclass=fd
>> May 30 14:11:11 maps kernel: audit(1148987471.254:4): avc:  denied  { 
>> use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
>> scontext=root:system_r:httpd_sys_script_t 
>> tcontext=user_u:system_r:initrc_t tclass=fd
>> May 30 14:11:11 maps kernel: audit(1148987471.255:5): avc:  denied  { 
>> read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
>> ino=1423567 scontext=root:system_r:httpd_sys_script_t 
>> tcontext=root:object_r:var_lib_t tclass=lnk_file
>> May 30 14:11:11 maps kernel: audit(1148987471.331:6): avc:  denied  { 
>> read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
>> ino=1423567 scontext=root:system_r:httpd_sys_script_t 
>> tcontext=root:object_r:var_lib_t tclass=lnk_file
>>
>> If I drop the seliux level to "permissive" (logs error but doesn't 
>> deny) then mapserv works as expected.
>>
>> Can anyone suggest how to set this up, short of disabling selinux??
>>
>> Thanks, Micha
>>
>>
> Hi,
>
> I think you could use something like:
> chcon -c -v -R -u system_u -r object_r -t lib_t [path/to/lib/folder]
>
> I'm not familiar with SELinux so check the args in the man for chcon.
>
> Regards
>
> Norbert
>
Norbert:

Here's what I did.
chcon -t lib_t /var/lib/pgsql/lib
chcon -t lib_t /var/lib/pgsql/libpq.so.4.1  # The real library
rm -f /var/lib/pgsql/lib/libpq.so.4
# delete the original soft link...
# ... and recreate it to correct selinux context for the link
ln -s /var/lib/pgsql/lib/libpq.so.4.1 /var/lib/pgsql/lib/libpqso.4  

Now it seems to be working. Thanks,
Micha

More information about the MapServer-users mailing list