-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 09:35 AM, Tony Molloy wrote: > > Hi, > > I'm running http on a fully updated Centos 5 system. > > httpd-2.2.3-43.el5.centos.3.x86_64 > selinux-policy-2.4.6-279.el5_5.2.noarch > selinux-policy-targeted-2.4.6-279.el5_5.2.noarch > > > I'm trying to run a cgi script from a user directory. > > With SELinux enabled I get the following error. > > [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8] > (13)Permission denied: exec of '/usr/sbin/suexec' failed > [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8] > Premature end of script headers: survey.cgi > > > With SELinux in permissive mode I get the following AVC > > Summary: > > SELinux prevented httpd executing access to http files. > > Detailed Description: > > [SELinux is in permissive mode, the operation would have been denied but was > permitted due to permissive mode.] > > SELinux prevented httpd executing access to http files. Ordinarily httpd is > allowed full access to all files labeled with http file context. This machine > has a tightened security policy with the httpd_unified turned off, this > requires > explicit labeling of all files. If a file is a cgi script it needs to be > labeled > with httpd_TYPE_script_exec_t in order to be executed. If it is read-only > content, it needs to be labeled httpd_TYPE_content_t, it is writable content. > it > needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can > use the chcon command to change these contexts. Please refer to the man page > "man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3) > "TYPE" refers to one of "sys", "user" or "staff" or potentially other script > types. > > Allowing Access: > > Changing the "httpd_unified" boolean to true will allow this access: > "setsebool -P httpd_unified=1" > > The following command will allow this access: > > setsebool -P httpd_unified=1 > > Additional Information: > > Source Context system_u:system_r:httpd_t > Target Context system_u:object_r:httpd_suexec_exec_t > Target Objects /usr/sbin/suexec [ file ] > Source suexec > Source Path /usr/sbin/suexec > Port <Unknown> > Host a.b.c.d > Source RPM Packages httpd-2.2.3-43.el5.centos.3 > Target RPM Packages httpd-2.2.3-43.el5.centos. > Policy RPM selinux-policy-2.4.6-279.el5_5.2 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name httpd_unified > Host Name a.b.c.d > Platform Linux a.b.c.d 2.6.18-194.17.4.el5 > #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 > Alert Count 2 > First Seen Thu Dec 2 13:09:20 2010 > Last Seen Thu Dec 2 13:33:32 2010 > Local ID 4a26d013-6f04-4a0f-af21-760368cc9908 > Line Numbers > > Raw Audit Messages > > host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied { > execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2 > ino=1791541 scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file > > host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e > syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8 > a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0 > fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec" > exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null) > > > So it suggests "setsebool -P httpd_unified=1" will allow this access. > > However getsebool -a | grep http gives > httpd_unified --> on > > So it is allready on. > > > Thanks, > > Tony > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Do you have httpd_suexec_disable_trans turned on? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3tXgACgkQrlYvE4MpobNvqACgyPDZttnqlfsDScV9lgqXOWfR fL0AoOLMqXXVp3QsD43emMuwZzUsFXs6 =xSNL -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
