On 4 September 2017 at 22:49, Gregory P. Ennis <PoMec@xxxxxxxxx> wrote:
> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>
>
Odd it was in the don't audit logs, as I think that should be logged
normally.
Executable scripts should be httpd_sys_script_exec_t rather than
httpd_sys_content_t, as the latter is just read only content files rather
than something to be executed.
The default policy has the cgi-bin directory contents labelled correctly by
default though ...
Could you please post the output of 'semanage fcontext -lC' ... this will
list any local file context modifications.
You could try restorecon -Rv /var/www to see if that fixes your labelling,
if you've not made any local modifications.
If you have made local modifications to set the contents of cgi-bin to
httpd_sys_content_t then you should remove those with semanage fcontext -d
'/var/www/cgi-bin' or whatever the pattern for the local modification is as
that's incorrect labelling.
While you're checking selinux configuration do a quick
getsebool httpd_enable_cgi ... it's on by default but worth verifying :)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
