Hello after a recent server update to f16, I went with a fresh install, not wanting to take legacy junk with me in an update.
I copied everything over, and did a backup in the tools.
When I got httpd perl mysql etc all installed and went to run movabletype, errors happened because cgi couldn't execute.
Changed chcon -t httpd_sys_script_exec_t *.cgi in movabletype (I have all cgi there, not in /var/www/cgi-bin) and now it works, sorta.
I get error messages any time the cgi tries to write/change/etc files. I get these error messages, showing clearly selinux is denying it:
/sbin/ausearch -m avc -ts today
time->Thu Dec 8 15:05:25 2011
type=SYSCALL msg=audit(1323378325.674:55): arch=c000003e syscall=2 success=yes exit=5 a0=3842090 a1=242 a2=1b6 a3=7fb9df8e8520 items=0 ppid=1068 pid=1182 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="mt.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1323378325.674:55): avc: denied { write } for pid=1182 comm="mt.cgi" name="index.htm.new" dev=dm-2 ino=1053376 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1323378325.674:55): avc: denied { create } for pid=1182 comm="mt.cgi" name="index.htm.new" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1323378325.674:55): avc: denied { add_name } for pid=1182 comm="mt.cgi" name="index.htm.new" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1323378325.674:55): avc: denied { write } for pid=1182 comm="mt.cgi" name="01" dev=dm-2 ino=1049181 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
Like I said the movabletype works, just can't publish anything. Any ideas?
For reference
movabletype and site folders are both are:
drwxrwxr-x. ftpuser apache unconfined_u:object_r:httpd_sys_content_t:s0
all the .cgi files are:
-rwxr-xr-x. ftpuser apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 mt.cgi
(changed username to ftpuser, who is main group apache, which httpd is running as apache:apache):
ExecCGI is in the options in the directory for httpd
Reported on Movable Type 5
What about the server path?
Did that changed?
Look inside the movable type admin at each website and blog level was is their publishing path and make sure that is the same after the server update.
In terms of permissions, the .cgi files should be 755, the folders 777 and the files 666.
Kind Regards,
Mihai Bocsaru
----------------------------------
Daily Movable Type Consultant
Web Development
Movable Type Consulting
Six Apart Partner
http://www.pro-it-service.com/
----------------------------------
Movable Type Demo
http://www.movabletypedemo.org/
----------------------------------
Open Melody Demo
http://www.openmelodydemo.org/
Server path did not change.
CHMOD permissions were correct.
I know it is a selinux permission issue.
The resolution was:
httpd_sys_rw_content_t
on the websites/blogs directories(the ones that gets generated by publishing a site), and the support folder in mt-static.
Selinux is still enforcing and movabletype is working.
Alright and congratulations for that!