Just a question is there no mod_wsgi on sel linux? Or why do you use CGI?
Reunar Am 13.07.2012 21:10, schrieb Paul Boddie: > On Friday 13 July 2012 13:43:44 Ole Holm Nielsen wrote: >> We run Moin 1.9.4 on a RHEL 6.2 Linux server which was upgraded to RHEL >> 6.3. After the upgrade we saw SELinux permission errors in the Apache >> errorlog: >> >> python: can't open file '/var/www/wiki/cgi-bin/moin.cgi': [Errno 13] >> Permission denied >> >> This is an issue with SELinux (as determined by turning off SELinux). >> There exists a Moin HowTo http://moinmo.in/HowTo/FedoraSELinux, but it >> doesn't seem to help any on RHEL6 Linux. After much googling and >> experimentation I found the following: >> >> SOLUTION: >> setsebool -P httpd_enable_cgi=on >> chcon -t httpd_unconfined_script_exec_t /.../cgi-bin/moin.cgi > > I'm not sure about the setsebool option, although I didn't set up Apache in > my > environment that uses SELinux, but I found that I needed to give my CGI > script the httpd_sys_content_t type. > >> Comments: >> The first line allows CGI scripts in the first place - that's simple. >> The second line disables SELinux completely for the moin.cgi script, see >> "man httpd_selinux" (on Fedora this man-page contains more details). >> The SELinux context httpd_sys_script_exec_t for moin.cgi recommended >> elsewhere simply doesn't work on RHEL 6.3. >> >> I hope this may help others with RHEL6 Moin servers. > > I'm using RHEL 6.3, so the above may be the solution. I also recommend using > semanage to make security context information permanent. For example: > > semanage fcontext -a -t httpd_sys_content_t "/.../cgi-bin/moin.cgi" > > If you have other files that Apache processes need to access, it may be > necessary to set this type for those files. For example: > > semanage fcontext -a -t httpd_sys_content_t "/var/lib/moin(/.*)?" > > This sets the type for a /var/lib/moin directory containing any separate Wiki > configuration and data. > > To enforce security context information according to the policies stated > above, do the following: > > restorecon -v /.../cgi-bin/moin.cgi > restorecon -R -v /var/lib/moin > > This should ensure that files get labelled automatically. > > Paul > > P.S. I'm not an SELinux expert and found that it is generally poorly > documented, so any refinements to the above would be welcome. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
