Gossamer Forum
Home : Products : DBMan : Installation :

SELinux prevented reading and writing access to dbman files.

Quote Reply
SELinux prevented reading and writing access to dbman files.
Hello all,

System info: Apache/2.2.9 (Fedora)
Installing dbman for testing a web tool idea.
I have placed dbman files into /var/www/cgi-bin folder. Once I start the default (Test) database I'm able to enter the user name and password (admin). After authentication CGI crashes giving the following error: (Note: Folder permissions have already been set to "777")
Error Message : unable to open auth file: ./auth/. Reason: Permission denied

Script Location : /var/www/cgi-bin/dbman/db.cgi
Perl Version : 5.008008
Setup File : default.cfg
Session ID : admin.122121273337274

Form Variables
db : default
login : Logon
pw : admin
uid :
userid : admin

Environment Variables
CONTENT_TYPE : application/x-www-form-urlencoded
DOCUMENT_ROOT : /var/www/html
HTTP_ACCEPT : text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET : ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5
HTTP_CONNECTION : keep-alive
HTTP_HOST : localhost
HTTP_REFERER : http://localhost/cgi-bin/dbman/db.cgi
HTTP_USER_AGENT : Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20080715 Fedora/ Firefox/
PATH : /sbin:/usr/sbin:/bin:/usr/bin
REQUEST_URI : /cgi-bin/dbman/db.cgi
SCRIPT_FILENAME : /var/www/cgi-bin/dbman/db.cgi
SCRIPT_NAME : /cgi-bin/dbman/db.cgi
SERVER_ADMIN : root@localhost
SERVER_NAME : localhost
SERVER_SIGNATURE : Apache/2.2.9 (Fedora) Server at localhost Port 80

SERVER_SOFTWARE : Apache/2.2.9 (Fedora)
At the same time SELinux gives me the following error.

***** Summary *****
SELinux prevented httpd reading and writing access to http files. Detailed DescriptionSELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.

***** Allowing Access *****
Changing the "httpd_unified" boolean to true will allow this access: "setsebool -P httpd_unified=1" The following command will allow this access:setsebool -P httpd_unified=1

The suggested fix from SELinux "setsebool -P httpd_unified=1" command does nothing to allow dbman to run.

I have disabled SELinux to check for functionality. Everything works fine with SELinux disabled.

But my problem is I need to run SELinux as part of our server. Has anyone else run into this and fixed it. If so please advise.

Quote Reply
Re: [lolths] SELinux prevented reading and writing access to dbman files. In reply to
Since this is more related to a server problem rather than with the script itself, you may want to post a question in the Internet Technologies forum.

Perhaps someone in there will be familiar with using SELinux.

Unoffical DBMan FAQ

Quote Reply
Re: [LoisC] SELinux prevented reading and writing access to dbman files. In reply to
SmileSmileSmileProblem fixed:SmileSmileSmile

For others having the same SELinux problems with dbman run the following commands to allow access

chcon system_u:object_r:httpd_sys_script_ro_t:s0 db.cgi
chcon system_u:object_r:httpd_sys_script_ro_t:s0 html.pl
chcon system_u:object_r:httpd_sys_script_ro_t:s0 auth.pl
chcon system_u:object_r:httpd_sys_script_ro_t:s0 default.cfg
chcon system_u:object_r:httpd_sys_script_rw_t:s0 default.pass
chcon system_u:object_r:httpd_sys_script_rw_t:s0 default.count
chcon system_u:object_r:httpd_sys_script_rw_t:s0 default.log
chcon system_u:object_r:httpd_sys_script_rw_t:s0 default.db
chcon system_u:object_r:httpd_sys_script_rw_t:s0 auth
chcon system_u:object_r:httpd_sys_script_rw_t:s0 index.html

Sorry I'm a bit new to SELinux. After reading the SELinux message a bit closer and analyzing what it actually says I realized where I made a mistake.
I hope this helps others in the future.