Configuring SELinux Policies for web application - Submin
If you want to use Submin, or any other web application that resides outside default Apache directory (/var/www/html) you have to set proper SELinux context for all files. In this case all files are located in /var/lib/submin directory. Without this you will get some error messages in /var/log/audit/audit.log:
avc: denied { write } for pid=1813 comm="python2" name="submin.db" dev=dm-0 ino=664032 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
and in /var/log/messages:
setroubleshoot: SELinux is preventing /usr/bin/python from read access on the file /var/lib/submin/conf/settings.py setroubleshoot: SELinux is preventing /usr/bin/python from read access on the file /var/lib/submin/conf/settings.pyc setroubleshoot: SELinux is preventing /usr/bin/python from write access on the directory /var/lib/submin/conf setroubleshoot: SELinux is preventing /usr/bin/python from getattr access on the file /var/lib/submin/conf/submin.db
You should change context of /var/lib/submin/cgi-bin/submin.cgi to httpd_sys_script_exec_t and whole /var/lib/submin/conf/ directory to httpd_sys_script_rw_t:
cd /var/lib/submin chcon -t httpd_sys_script_exec_t cgi-bin/submin.cgi chcon -R -t httpd_sys_script_rw_t conf
additionally if You want Submin to work with Apache on different port (ie. 88), you have to change http_vhost options:
submin2-admin /var/lib/submin config set http_vhost "http://your.host.com:88"
note there is no tailing slash (/) in address.
Comments
Log in or create a user account to comment.