[ic] problem opening website

Thu Dec 9 01:26:49 EST 2004

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org 
> [mailto:interchange-users-bounces at icdevgroup.org] On
Behalf 
> Of Jon Jensen
> Sent: Tuesday, December 07, 2004 9:36 AM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] problem opening website
> 
> 
> On Fri, 3 Dec 2004, Paul Arnold wrote:
> 
> > I have copied both vlink and tlink into my cgi-bin dir,
rechecked 
> > permissions
> > on both the store in my cgi-bin and the socket, to make 
> sure they haven't 
> > changed. I have restarted IC and even restarted the
whole 
> linux box I am 
> > running
> > Are there any other files or directories that might need
to 
> to have certian 
> > permissions?
> >
> > I have, indeed checked the icdevgroup and all over
google and yahoo 
> > for the
> > messages We're sorry the server is unavaible, and in 
> different ways. I have 
> > tried everything everyone has suggested, even on holder 
> versions of IC that 
> > they had.
> > I have a fresh, full, and completely updated install of 
> Fedora Core 3.
> > Everything has installed perl, ic and fC3 with no
problems 
> or errors.
> 
> Do you have SELinux enabled in strict mode? I wonder if
your cgi-bin 
> directory isn't allowed to have executables by SELinux 
> policy. You may 
> want to double-check all your logs.
> 
> Jon
> 
> -- 
> Jon Jensen
> End Point Corporation
> http://www.endpoint.com/
> Software development with Interchange, Perl, PostgreSQL, 
> Apache, Linux, ...
_______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org 
> http://www.icdevgroup.org/mailman/listinfo/int>
erchange-users

you might find these useful ...

interchange.te (to be used with Selinux src tree
/etc/selinux/targeted/src/domain/program/interchange.te:

#DESC Interchange - Ecommerce server
#
# Author:  Tim Good <draco at edsd.com> 
#          Sam Hunter <shunter at interrupt-driven.org
# Sam provided the wipers on my beer goggles. 
# 

#################################
#
# Rules for the interchange_t domain.
#
# interchange_exec_t is the type of the interchange
executable.
#
daemon_domain(interchange)

allow interchange_t interchange_var_run_t:sock_file
create_file_perms;

etcdir_domain(interchange)
typealias interchange_etc_t alias etc_interchange_t;
type interchange_db_t, file_type, sysadmfile;

log_domain(interchange)

# for temporary tables
tmp_domain(interchange)

allow interchange_t usr_t:file { getattr read };

allow interchange_t self:fifo_file { read write };
allow interchange_t self:unix_stream_socket
create_stream_socket_perms;
allow initrc_t interchange_t:unix_stream_socket connectto;
allow initrc_t interchange_var_run_t:sock_file write;
allow httpd_sys_script_t interchange_t:unix_stream_socket
connectto;
allow httpd_sys_script_t interchange_var_run_t:sock_file
write;
allow httpd_sys_script_t interchange_etc_t:dir { read search
};
allow httpd_sys_script_t interchange_var_run_t:dir { read
search };
allow httpd_sys_script_t ld_so_cache_t:file execute;

allow interchange_t interchange_log_t:file { write append
setattr ioctl };

allow interchange_t self:capability { dac_override setgid
setuid };
allow interchange_t self:process getsched;

allow interchange_t proc_t:file { getattr read };
allow interchange_t { bin_t sbin_t }:dir  { getattr read
search };
allow interchange_t { bin_t sbin_t }:file { getattr read
execute };
allow interchange_t urandom_device_t:chr_file read;

# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(interchange_t, mysqld_t)
allow interchange_t mysqld_var_run_t:dir search;
allow interchange_t mysqld_var_run_t:sock_file write;
allow interchange_t mysqld_db_t:dir search;
allow interchange_t mysqld_t:unix_stream_socket connectto;
allow interchange_t mysqld_db_t:sock_file rw_file_perms;
allow interchange_t mysqld_var_run_t:sock_file
rw_file_perms;
')

# connect to apache config files for makecat
ifdef(`apache.te', `
allow interchange_t httpd_config_t:dir search;
allow interchange_t httpd_config_t:file { read getattr ioctl
};
')

# Allow access to the interchange databases
create_dir_file(interchange_t, interchange_db_t)
allow interchange_t var_lib_t:dir { getattr search };

can_network_server(interchange_t)
can_ypbind(interchange_t)

# read config files
r_dir_file(initrc_t, interchange_etc_t)
allow interchange_t { etc_t etc_runtime_t }:{ file lnk_file
} { read getattr };

allow interchange_t sysctl_kernel_t:dir search;
allow interchange_t sysctl_kernel_t:file read;

can_unix_connect(sysadm_t, interchange_t)
can_exec(interchange_t, interchange_exec_t )

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, interchange_etc_t)
allow logrotate_t interchange_db_t:dir search;
allow logrotate_t interchange_var_run_t:dir search;
allow logrotate_t interchange_var_run_t:sock_file write;
can_unix_connect(logrotate_t, interchange_t)
')

ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, interchange_exec_t,
interchange_t)
allow svc_start_t interchange_t:process signal;
svc_ipc_domain(interchange_t)
')dnl end ifdef daemontools

ifdef(`distro_redhat', `
allow initrc_t interchange_db_t:dir create_dir_perms;

# because Fedora has the sock_file in the database directory
file_type_auto_trans(interchange_t, interchange_db_t,
interchange_var_run_t, sock_file)
')

and interchange.fc ( to be used with selinux src
/etc/selinux/targeted/src/file_contexts/program/interchange.
fc )

# interchange shopping cart software

/usr/local/interchange(/.*)?
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc(/.*)?
system_u:object_r:interchange_var_run_t
/usr/local/interchange/bin/.*
system_u:object_r:interchange_exec_t
/usr/local/interchange/bin/makecat
system_u:object_r:bin_t
/usr/local/interchange/error.*               --
system_u:object_r:interchange_log_t
/var/lib/interchange(/.*)?
system_u:object_r:interchange_db_t
/usr/local/interchange/interchange\.cfg      --
system_u:object_r:interchange_etc_t
/usr/local/interchange/etc/socket	-s
system_u:object_r:interchange_var_run_t
/usr/local/interchange/etc/socket\.ipc	-s
system_u:object_r:interchange_var_run_t

This is a work in progress and it is up to you to discove
the workings of selinux source.
It really is fairly easy to work with if you read the faqs
and experiment with examples.
Otherwise set SELINUX=disabled in /etc/selinux/config

cheers,

Tim