dbfdg 3 nmau @sDddlZejdddZejZddlZddlmZGdddeZdS)Nzsetroubleshoot-pluginsT)Zfallback)Pluginc@sLeZdZedZedZedZdZedZedZ dZ dd Z d d Z d S) pluginz? SELinux prevented httpd $ACCESS access to http files. aZ SELinux prevented httpd $ACCESS access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the $BOOLEAN turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read only content, it needs to be labeled httpd_TYPE_content_t. If it is writable content, it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these context. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types. zg Changing the "$BOOLEAN" boolean to true will allow this access: "setsebool -P $BOOLEAN=1" zsetsebool -P $BOOLEAN=1zcIf you want to allow httpd to execute cgi scripts and to unify HTTPD handling of all content files.z_you must tell SELinux about this by enabling the 'httpd_unified' and 'http_enable_cgi' booleansz1# setsebool -P httpd_unified=1 httpd_enable_cgi=1cCstj|t|jddS)N)r__init____name__Z set_priority)selfr2/usr/share/setroubleshoot/plugins/httpd_unified.pyr=s zplugin.__init__cCsL|jdrH|jdrH|jdks(|jdkrHtjd rHtjd rH|jSdS)Nzhttpd_t httpd_.*_script_tz httpd_.*tfiledirZ httpd_unifiedZhttpd_enable_cgi)Zmatches_source_typesZmatches_target_typesZtclassselinuxZsecurity_get_boolean_activeZreport)rZavcrrr analyzeAs    zplugin.analyzeN) r __module__ __qualname___ZsummaryZproblem_descriptionZfix_descriptionZfix_cmdZif_textZ then_textZdo_textrr rrrr rsr)gettextZ translationrr Zsetroubleshoot.Pluginrrrrrr s