Re: selinux denial of cgi script with httpd using ssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 4 September 2017 at 22:49, Gregory P. Ennis <PoMec@xxxxxxxxx> wrote:

> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>
>
Odd it was in the don't audit logs, as I think that should be logged
normally.

Executable scripts should be httpd_sys_script_exec_t rather than
 httpd_sys_content_t, as the latter is just read only content files rather
than something to be executed.

The default policy has the cgi-bin directory contents labelled correctly by
default though ...

Could you please post the output of 'semanage fcontext -lC' ... this will
list any local file context modifications.

You could try restorecon -Rv /var/www to see if that fixes your labelling,
if you've not made any local modifications.

If you have made local modifications to set the contents of cgi-bin to
httpd_sys_content_t then you should remove those with semanage fcontext -d
'/var/www/cgi-bin' or whatever the pattern for the local modification is as
that's incorrect labelling.

While you're checking selinux configuration do a quick
getsebool httpd_enable_cgi ... it's on by default but worth verifying :)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux