1

I have a CGI script called index.cgi

It is trying to read a log file called 10.128.0.242.2012.sep.20.downloaded.txt under the path /var/log/trafcount/

It appears that it is being blocked by selinux.

The audit log shows something like

type=AVC msg=audit(1348158321.873:1472116): avc: denied { read } for pid=11620 comm="index.cgi" name="10.128.0.242.2012.sep.20.downloaded.txt" dev=dm-0 ino=395264 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

How can I allow this script full access to all files under /var/log/trafcount ?

Improve this question
2
  • this looks like an apache config issue Commented Sep 21, 2012 at 0:29
  • Thanks, I will try over at Server Fault. I am pretty sure its not an apache config as the script is running and doing everything its supposed to expect being able to open and read the log file. Commented Sep 21, 2012 at 13:52

1 Answer 1

Reset to default
2

One way is with the 'chcon' command with the following:

chcon -Rv --type=httpd_sys_content_t /var/log/trafcount

This will get you access across reboots, but not across SELinux relabelings. In the long run, I'd suggest creating a custom type and creating a rule for that in SELinux so that both /var/log and Apache can happily continue to use it.

Source: http://wiki.centos.org/HowTos/SELinux (Lots of great stuff on SELinux under CentOS in there)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.