Skip to main content.
home | support | download

Back to List Archive

[swish-e] SELinux breaking Swish-e

From: Parker, Peter A CONTRACTOR WRAIR-Wash DC <Peter.Parker(at)not-real.AMEDD.ARMY.MIL>
Date: Wed Nov 07 2007 - 17:28:55 GMT
I am running Swish-e 2.4.5 using Apache 2.0.52, RedHat Enterprise Linux
4 and Perl version: 5.8.5.

Per my organizations security policies I must use SELinux. When SELinux
is in enforcing mode using the targeted policy, and I load the swish cgi
page and enter in a search term, I receive the message "Service
currently unavailable" in red above the search field. 

Before SELinux was placed in enforcing mode, swish-e was working. I have
indexed over a hundred files and setup the included cgi script to run
from the apache cgi-bin, and it worked fine.

After inspecting the SELinux logs I found that swish-e is attempting a
domain transition (see the error message below). This is where I need
your help. Does anyone know why swish-e would need to perform a domain
transition? Is this something I can work around? I am not comfortable
editing policy for SELinux, nor is it likely that my dept will allow it,
So I would like to know is there some other way to get this working than
having to edit my SELinux policy?

Also is it possible to run swish-e as a different user? Or run it from a
different directory, say the root directory as a workaround? 

[Denial message from log]
Nov  5 14:29:23 localhost kernel: audit(1194157763.575:0):
  avc:  denied  { execute_no_trans } for  pid=30825 \
  exe=/usr/bin/perl5.8.5 path=/var/www/swish-e/bin/swish-e dev=dm-0
ino=2871373 \    
  scontext=root:system_r:httpd_sys_script_t \
  tcontext=root:object_r:httpd_sys_content_t tclass=file \
[End of message from log]

[Explanation of error message for reference (stuff I found online)]
Message is denied, the brackets {} contain the actual permission that
was attempted, execute_no_trans. There is apparently no rule specifying
an automatic domain transition so this is a request to execute without
transition.  A type transition results in a new process running in a new
domain different from the executing process, or a new object being
labeled with a type different from the source doing the labeling.  Pid
is the process ID.  Exe specifies the application being denied. 'path'
is the path to the target file or directory the operation was attempted
on. scontext is the security context of the source, that is, the process
being denied access. 'tcontext' is the security context of the target,
that is, the file or directory that is denied. 'tclass' is the object
class of the target, in this case a file.
[End of error message explanation]

Any assistance you can provide is really appreciated!

Peter A. Parker
Clinical Research Management, Inc.
Walter Reed Army Institute of Research
Phone: 301-319-7592
Fax: 301-319-9449

Users mailing list
Received on Wed Nov 7 12:29:21 2007