Centos 6.3 PERL CGI selinux file read access

Question

I have a CGI script called index.cgi

It is trying to read a log file called 10.128.0.242.2012.sep.20.downloaded.txt under the path /var/log/trafcount/

It appears that it is being blocked by selinux.

The audit log shows something like

type=AVC msg=audit(1348158321.873:1472116): avc: denied { read } for pid=11620 comm="index.cgi" name="10.128.0.242.2012.sep.20.downloaded.txt" dev=dm-0 ino=395264 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

How can I allow this script full access to all files under /var/log/trafcount ?

score 1 · Answer 1 · answered Sep 21 '12 at 14:01

I suggest reading the documentation.

Specifically, see the Troubleshooting section Fixing Problems for a guide on how to use audit2allow to modify your local SELinux policy to permit the access your application requires.

The typical flow is:

audit2allow -a -M myapp

Inspect the policy generated to ensure that it's sane, then to install it, run:

semodule -i myapp.pp

score 0 · Answer 2 · answered Sep 21 '12 at 14:08

0

How can I allow this script full access to all files under /var/log/trafcount ?

Try this:

chcon -R -t var_log_t /var/log/trafcount

answered Sep 21 '12 at 14:08

quanta

51,413
19
159
217

It already _has_ that context. – Michael Hampton Sep 21 '12 at 14:16

Centos 6.3 PERL CGI selinux file read access

2 Answers2