Dominick, thanks. nosuid on /var was the culprit. Remounting suid and everything works as normal. Note: re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log. Bug? Sent from my BlackBerry device on the Rogers Wireless Network -----Original Message----- From: Dominick Grift <dominick.grift@xxxxxxxxx> Date: Tue, 10 Apr 2012 16:41:45 To: Dark Sinclair<darksinclair@xxxxxxxxx> Cc: <selinux@xxxxxxxxxxxxxxxxxxxxxxx> Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6 On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote: > Greetings all, > > I've set up a simple apache webserver with cgi-script executing > python code on RHEL6. With selinux disabled, the script returns > output fine to a browser but with selinux enforced I receive a 500 > Internal Server error and permission denied in ssl_error_log with > nothing logged to audit.log even though don't audit rules is disabled. > audit2allow -a -l is clean as well. I am able to successfully > execute the script on the command line under apache's context httpd_t, > so it's only when returning the content to the browser that the 500 > Internal Server error occurs. Anyone have any idea to help > troubleshoot? You should really see AVC denials when you build the policy.db with the dontaudit rules removed (semodule -DB) Maybe you've overlooked them? > Pertinent information below, any help is greatly appreciated. > > Thanks in advance, > > > >> ssl_error_log when accessing through the browser: > [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of > '/var/www/cgi-bin/index.py' failed > [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py > > > >> Apache is running under context httpd_t: > # /bin/ps axZ | grep http > unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd > unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd > > > >> Able to execute the script successfully under apache with context httpd_t: > # sudo -u apache -t httpd_t ./index.py That test does not work i believe. I tried it myself: [dominick@q9000 ~]$ echo '#!/bin/bash' > test.sh [dominick@q9000 ~]$ echo "exec id -Z" >> test.sh [dominick@q9000 ~]$ chmod +x test.sh [dominick@q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 It doesnt actually run in httpd_t some how. > Content-Type: text/plain;charset=utf-8 > > Hello World! > > > >> sebool's have at least httpd_enable_cgi: > # getsebool -a | grep http | grep "\-\-> on" > httpd_builtin_scripting --> on > httpd_dbus_avahi --> on > httpd_enable_cgi --> on > httpd_execmem --> on > httpd_tty_comm --> on > httpd_unified --> on > > > >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within: > # ls -lZd /var/www/ > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/ > > # ls -lZd /var/www/* > drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0 > /var/www/cgi-bin > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html > > # ls -lZd /var/www/cgi-bin/* > -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0 > /var/www/cgi-bin/index.py shot in the dark: what are the mount options of /var/www/cgi-bin/index.py location? > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux