FAQ: Configuring Sawmill to work with Security Enhanced Linux, in CGI mode
Sawmill doesn't work in CGI mode with SELinux enabled; how do I get it to work?
Short Answer
Use semodule to allow the operations that Sawmill uses; see the long answer.
Long Answer
Security Enhanced Linux (SELinux) restricts what programs can do, to prevent them from misbehaving. The default behavior for an unrecognized program blocks certain operations that Sawmill needs to function, resulting in a blank screen when running Sawmill in CGI mode. This article describes how to lower the restrictions to allow Sawmill to work.
Start by creating a file called sawmill.te, with the following contents:
module sawmill 1.0;
require {
class appletalk_socket create;
class dir getattr;
class dir read;
class dir search;
class dir { getattr read };
class dir { read search };
class file getattr;
class file read;
class netlink_route_socket bind;
class netlink_route_socket create;
class netlink_route_socket getattr;
class netlink_route_socket nlmsg_read;
class netlink_route_socket read;
class netlink_route_socket write;
class socket create;
class socket ioctl;
class udp_socket create;
class udp_socket ioctl;
class unix_dgram_socket create;
role system_r;
type apmd_log_t;
type autofs_t;
type boot_t;
type faillog_t;
type file_t;
type httpd_log_t;
type httpd_sys_script_t;
type lastlog_t;
type mnt_t;
type net_conf_t;
type proc_net_t;
type rpm_log_t;
type samba_log_t;
type sendmail_log_t;
type squid_log_t;
type sysctl_net_t;
type sysfs_t;
type var_log_t;
type var_t;
type wtmp_t;
};
allow httpd_sys_script_t apmd_log_t:file getattr;
allow httpd_sys_script_t autofs_t:dir getattr;
allow httpd_sys_script_t boot_t:dir getattr;
allow httpd_sys_script_t faillog_t:file getattr;
allow httpd_sys_script_t file_t:dir getattr;
allow httpd_sys_script_t httpd_log_t:dir getattr;
allow httpd_sys_script_t httpd_log_t:dir read;
allow httpd_sys_script_t httpd_log_t:file read;
allow httpd_sys_script_t lastlog_t:file getattr;
allow httpd_sys_script_t mnt_t:dir getattr;
allow httpd_sys_script_t net_conf_t:file getattr;
allow httpd_sys_script_t net_conf_t:file read;
allow httpd_sys_script_t proc_net_t:dir { read search };
allow httpd_sys_script_t proc_net_t:file getattr;
allow httpd_sys_script_t proc_net_t:file read;
allow httpd_sys_script_t rpm_log_t:file getattr;
allow httpd_sys_script_t samba_log_t:dir getattr;
allow httpd_sys_script_t self:appletalk_socket create;
allow httpd_sys_script_t self:netlink_route_socket bind;
allow httpd_sys_script_t self:netlink_route_socket create;
allow httpd_sys_script_t self:netlink_route_socket getattr;
allow httpd_sys_script_t self:netlink_route_socket nlmsg_read;
allow httpd_sys_script_t self:netlink_route_socket read;
allow httpd_sys_script_t self:netlink_route_socket write;
allow httpd_sys_script_t self:socket create;
allow httpd_sys_script_t self:socket ioctl;
allow httpd_sys_script_t self:udp_socket create;
allow httpd_sys_script_t self:udp_socket ioctl;
allow httpd_sys_script_t self:unix_dgram_socket create;
allow httpd_sys_script_t sendmail_log_t:dir getattr;
allow httpd_sys_script_t squid_log_t:dir getattr;
allow httpd_sys_script_t sysctl_net_t:dir search;
allow httpd_sys_script_t sysfs_t:dir getattr;
allow httpd_sys_script_t var_log_t:dir read;
allow httpd_sys_script_t var_log_t:file getattr;
allow httpd_sys_script_t var_t:dir read;
allow httpd_sys_script_t wtmp_t:file getattr;
|
Then run the following commands, as root:
checkmodule -M -m -o sawmill.mod sawmill.te semodule_package -o sawmill.pp -m sawmill.mod semodule -i sawmill.pp
These commands package up and install a SE module which allows Sawmill to perform all of its operations. Once you have run these commands, Sawmill should function as a CGI program.