mapserver and selinux

listuser HH listuser at HERZSYS.DE
Tue May 30 09:06:59 EDT 2006 

Micha Silver wrote:

> I've setup mapserver-4.8.3 on a CentOS-4.3 server. With SELinux 
> enabled I can't get mapserv in /var/www/cgi-bin to work. It can't find 
> libpq.so. Running ldd on the mapserv binary in the original compile 
> location returns OK:
>
> [root at maps ~]# ldd /home/micha/download/mapserver-4.8.3/mapserv | grep 
> libpq
>        libpq.so.4 => /var/lib/pgsql/lib/libpq.so.4 (0x0072d000)
>
> But running ldd on the *same* binary copied to /var/www/cgi-bin:
> [root at maps ~]# cp /home/micha/download/mapserver-4.8.3/mapserv 
> /var/www/cgi-bin/
> [root at maps ~]# ldd /var/www/cgi-bin/mapserv | grep libpq
>        libpq.so.4 => not found
>        libpq.so.4 => not found
>
> The copy has selinux context:
> [root at maps ~]# ls -Z /var/www/cgi-bin/mapserv
> -rwxr-xr-x  root     root     root:object_r:httpd_sys_script_exec_t 
> /var/www/cgi-bin/mapserv
>
> and indeed in the messages log there are "audit:...avc: denied" errors 
> for mapserv:
> May 30 14:11:11 maps kernel: audit(1148987471.254:2): avc:  denied  { 
> read write } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:object_r:initrc_devpts_t tclass=chr_file
> May 30 14:11:11 maps kernel: audit(1148987471.254:3): avc:  denied  { 
> use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=user_u:system_r:initrc_t tclass=fd
> May 30 14:11:11 maps kernel: audit(1148987471.254:4): avc:  denied  { 
> use } for  pid=2662 comm="mapserv" name="0" dev=devpts ino=2 
> scontext=root:system_r:httpd_sys_script_t 
> tcontext=user_u:system_r:initrc_t tclass=fd
> May 30 14:11:11 maps kernel: audit(1148987471.255:5): avc:  denied  { 
> read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
> ino=1423567 scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:object_r:var_lib_t tclass=lnk_file
> May 30 14:11:11 maps kernel: audit(1148987471.331:6): avc:  denied  { 
> read } for  pid=2662 comm="mapserv" name="libpq.so.4" dev=sda2 
> ino=1423567 scontext=root:system_r:httpd_sys_script_t 
> tcontext=root:object_r:var_lib_t tclass=lnk_file
>
> If I drop the seliux level to "permissive" (logs error but doesn't 
> deny) then mapserv works as expected.
>
> Can anyone suggest how to set this up, short of disabling selinux??
>
> Thanks, Micha
>
>
Hi,

I think you could use something like:
chcon -c -v -R -u system_u -r object_r -t lib_t [path/to/lib/folder]

I'm not familiar with SELinux so check the args in the man for chcon.

Regards

Norbert

More information about the mapserver-users mailing list