2007年8月23日星期四

selinux好鬼煩

其實我都已經set過九次都唔係好記得個死人selinux點set.每一次setup一部新機都比佢玩一輪.為左唔好再比佢玩,我決定將今次嘅setup經歷blog低佢,以後就有得refer.

今次我嘅target係setup果套mailgraph on centOS 5,我用嘅mailgraph version係1.13,開始我仲發夢想用yum install去setup.點不知當然無啦,唯有自已去http://mailgraph.schweikert.ch download.

首先我要install好所有dependency先.

perl -MCPAN -e shell
install File::Tail
quit
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.2.23.tar.gz
tar zxf rrdtool-1.2.23.tar.gz
cd rrdtool-1.2.23
BUILD_DIR=/tmp/rrdbuild
INSTALL_DIR=/usr/local/rrdtool-1.2.23
./configure --prefix=$INSTALL_DIR && make && make install

之後就可以開始setup套mailgraph喇:-

wget http://mailgraph.schweikert.ch/pub/mailgraph-1.13.tar.gz
tar zxf mailgraph-1.13.tar.gz
cd mailgraph-1.13
cp mailgraph.pl /usr/local/bin

然後vi mailgraph-init
將MAIL_LOG改成"MAIL_LOG=/var/log/maillog"
cp mailgraph-init /etc/init.d

最後就vi mailgraph.cgi
將my $rrd =改成"my $rrd = '/var/lib/mailgraph.rrd'"
將my $rrd_virus =改成"my $rrd_virus = '/var/lib/mailgraph_virus.rrd'"
cp mailgraph.cgi /var/www/cgi-bin

理輪上就已經完成,可惜我enable左selinux,所就仲有嘢搞.

唔理佢嘅話你就會見到/var/log/httpd/error_log有下面嘅error message:
[Wed Aug 22 15:21:46 2007] [error] [client 99.99.99.99] ERROR: opening '/var/lib/mailgraph.rrd': Permission denied, referer: http://99.99.99.99/cgi-bin/mailgraph.cgi

而且你都會見到/var/log/messages有下面嘅error message:
Aug 22 14:57:00 server setroubleshoot: SELinux is preventing the mailgraph.cgi from using potentially mislabeled files mailgraph.rrd (var_lib_t). For complete SELinux messages. run sealert -l c961bc8c-9da8-468b-8727-8ba3eafc3517

唔做嘢當然佢唔會work啦.

[root@server ~]# ls -Z /var/lib/*.rrd
-rwxr--r-- root root user_u:object_r:var_lib_t mailgraph.rrd
-rwxr--r-- root root user_u:object_r:var_lib_t mailgraph_virus.rrd
[root@server ~]# ls -Z /var/www/cgi-bin/mailgraph.cgi
-rwxr-xr-x root root user_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/mailgraph.cgi

一睇就知道邊度出錯啦,就係因為rrd同個cgi唔同security label囉,rrd係var_lib_t,而個cgi就係httpd_sys_script_exec_t.於是我就將/var/lib/*.rrd改個label改到一樣囉,點解唔改mailgraph.cgi?因為mailgrahp.cgi個label係control個script做得d咩,所以一改佢咪violate左個原意囉.

chcon -t httpd_user_content_t /var/lib/*.rrd
[root@server mailgraph-1.13]# ls -laZ /var/lib/*.rrd
-rwxr--r-- root root user_u:object_r:httpd_sys_content_t /var/lib/mailgraph.rrd
-rwxr--r-- root root user_u:object_r:httpd_sys_content_t /var/lib/mailgraph_virus.rrd

finally我睇到個mailgraph喇,不過都仲係有d問題,點解個graph好似停左無update到嘅?
發佈者:
標籤:

沒有留言:

發佈留言

訂閱: 發佈留言 (Atom)