Steed asked:
I have a CGI script called index.cgi
It is trying to read a log file called 10.128.0.242.2012.sep.20.downloaded.txt under the path /var/log/trafcount/
It appears that it is being blocked by selinux.
The audit log shows something like
type=AVC msg=audit(1348158321.873:1472116): avc: denied { read } for pid=11620 comm="index.cgi" name="10.128.0.242.2012.sep.20.downloaded.txt" dev=dm-0 ino=395264 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
How can I allow this script full access to all files under /var/log/trafcount ?
My answer:
I suggest reading the documentation.
Specifically, see the Troubleshooting section Fixing Problems for a guide on how to use audit2allow to modify your local SELinux policy to permit the access your application requires.
The typical flow is:
audit2allow -a -M myapp
Inspect the policy generated to ensure that it’s sane, then to install it, run:
semodule -i myapp.pp
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.