mapserver and selinux

Micha Silver micha at ARAVA.CO.IL
Tue May 30 08:33:48 EDT 2006 

I've setup mapserver-4.8.3 on a CentOS-4.3 server. With SELinux enabled 
I can't get mapserv in /var/www/cgi-bin to work. It can't find libpq.so. 
Running ldd on the mapserv binary in the original compile location 
returns OK:

[root at maps ~]# ldd /home/micha/download/mapserver-4.8.3/mapserv | grep libpq
        libpq.so.4 => /var/lib/pgsql/lib/libpq.so.4 (0x0072d000)

But running ldd on the *same* binary copied to /var/www/cgi-bin:
[root at maps ~]# cp /home/micha/download/mapserver-4.8.3/mapserv 
/var/www/cgi-bin/
[root at maps ~]# ldd /var/www/cgi-bin/mapserv | grep libpq
        libpq.so.4 => not found
        libpq.so.4 => not found

The copy has selinux context:
[root at maps ~]# ls -Z /var/www/cgi-bin/mapserv
-rwxr-xr-x  root     root     root:object_r:httpd_sys_script_exec_t 
/var/www/cgi-bin/mapserv

and indeed in the messages log there are "audit:...avc: denied" errors 
for mapserv:
May 30 14:11:11 maps kernel: audit(1148987471.254:2): avc:  denied  { 
read write } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:initrc_devpts_t tclass=chr_file
May 30 14:11:11 maps kernel: audit(1148987471.254:3): avc:  denied  { 
use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
scontext=root:system_r:httpd_sys_script_t 
tcontext=user_u:system_r:initrc_t tclass=fd
May 30 14:11:11 maps kernel: audit(1148987471.254:4): avc:  denied  { 
use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
scontext=root:system_r:httpd_sys_script_t 
tcontext=user_u:system_r:initrc_t tclass=fd
May 30 14:11:11 maps kernel: audit(1148987471.255:5): avc:  denied  { 
read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
ino=1423567 scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:var_lib_t tclass=lnk_file
May 30 14:11:11 maps kernel: audit(1148987471.331:6): avc:  denied  { 
read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
ino=1423567 scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:var_lib_t tclass=lnk_file

If I drop the seliux level to "permissive" (logs error but doesn't deny) 
then mapserv works as expected.

Can anyone suggest how to set this up, short of disabling selinux??

Thanks, Micha


-- 
Micha Silver
Arava Development Co
+972-8-6592270

More information about the mapserver-users mailing list