|
---------- Forwarded Message ---------- Subject: Re: http AVC Date: Thursday 02 December 2010, 17:21:25 From: Daniel J Walsh <dwalsh@xxxxxxxxxx> To: Tony Molloy <tony.molloy@xxxxx> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 12:15 PM, Tony Molloy wrote: > On Thursday 02 December 2010 15:04:24 you wrote: >> On 12/02/2010 09:35 AM, Tony Molloy wrote: >>> Hi, >>> >>> I'm running http on a fully updated Centos 5 system. >>> >>> httpd-2.2.3-43.el5.centos.3.x86_64 >>> selinux-policy-2.4.6-279.el5_5.2.noarch >>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch >>> >>> >>> I'm trying to run a cgi script from a user directory. >>> >>> With SELinux enabled I get the following error. >>> >>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8] >>> >>> (13)Permission denied: exec of '/usr/sbin/suexec' failed >>> >>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8] >>> >>> Premature end of script headers: survey.cgi >>> >>> With SELinux in permissive mode I get the following AVC >>> >>> Summary: >>> >>> SELinux prevented httpd executing access to http files. >>> >>> Detailed Description: >>> >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux prevented httpd executing access to http files. Ordinarily httpd >>> is allowed full access to all files labeled with http file context. This >>> machine has a tightened security policy with the httpd_unified turned >>> off, this requires >>> explicit labeling of all files. If a file is a cgi script it needs to be >>> labeled >>> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only >>> content, it needs to be labeled httpd_TYPE_content_t, it is writable >>> content. it >>> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You >>> can use the chcon command to change these contexts. Please refer to the >>> man page "man httpd_selinux" or FAQ >>> (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one >>> of "sys", "user" or "staff" or potentially other script types. >>> >>> Allowing Access: >>> >>> Changing the "httpd_unified" boolean to true will allow this access: >>> "setsebool -P httpd_unified=1" >>> >>> The following command will allow this access: >>> >>> setsebool -P httpd_unified=1 > >>> Raw Audit Messages >>> >>> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied { >>> execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" >>> dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file >>> >>> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e >>> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 >>> a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 >>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) >>> ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" >>> subj=system_u:system_r:httpd_t:s0 key=(null) >>> >>> >>> So it suggests "setsebool -P httpd_unified=1" will allow this access. >>> >>> However getsebool -a | grep http gives >>> httpd_unified --> on >>> >>> So it is allready on. >>> >>> >>> Thanks, >>> >>> Tony >> >> Do you have httpd_suexec_disable_trans turned on? > > > Yep > > getsebool -a | grep http > > httpd_suexec_disable_trans --> on > httpd_enable_cgi --> on > > > Tony > > > > >Turn the httpd_suexec_disable_trans off >setsebool -P httpd_suexec_disable_trans 0 >ANd I bet it will work OK I'll try that, but I won't be able to test it until tomorrow morning. I'll let you know what happens. Thanks, Tony -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz31ZUACgkQrlYvE4MpobPhRQCeNTeiAI98Szsc1dVmFpP0SynC RkMAnRlIiPwYqUYzhdbtGv5Hav8N+Ngk =x3GH -----END PGP SIGNATURE----- ----------------------------------------- |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
