[mapserver-users] Getting MapServer to work with SELinux
Bill Thoen
bthoen at gisnet.com
Sat Jul 5 08:25:07 PDT 2008
Bill Thoen wrote:
> So does anyone know of a step by step reference detailing how to get
> MapServer to work under SELinux's "enforcing" mode? I've Googled for
> an answer but haven't found anything I understand. I like the idea of
> the extra security that SELinux offers, so I'd like to learn how to
> set up MapServer to work with it.
I think I've figured it out. Or at least I can get MapServer to work
under SELinux now. I don't fully understand it yet, but here's the steps
I took. The answer came from http://sheltren.com/selinux_pam_mkhomedir
and http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385.
First, extract all the AVC messages related to mapserv from your
/var/log/messages or/var/log/audit/audit.log log file into a separate
file. I used:
grep "type=AVC" /var/log/audit/audit.log | grep mapserv > avcs
Next, create the Type Enforcement file and policy module like so:
audit2allow -M mapserv < avcs
This creates mapserv.pp and mapserv.te. You can edit mapserv.te if you
like and then recompile the policy module (it tells how in the above
URLs). Otherwise, just add mapserv.pp to your machine's running policy
like so:
semodule -i mapserv.pp
As soon as I did this, MapServer worked. However, you may need to do
this several times because once you fix one permission problem, there a
few others that you'll hit.
Like I said, I don't fully understand this process; I'm only reporting
what seems to work for me, so if there's anyone who knows better and
sees a mistake here, please correct me.
- Bill Thoen
More information about the MapServer-users
mailing list