On Tue, 2012-04-10 at 14:51 +0000, darksinclair@xxxxxxxxx wrote: > Dominick, thanks. nosuid on /var was the culprit. Remounting suid and everything works as normal. > > Note: re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log. Bug? > Sent from my BlackBerry device on the Rogers Wireless Network I would expect to see atleast some AVC denials yes (for example rlimitinh noatsecure etc) Hard to tell for me from a distance. > -----Original Message----- > From: Dominick Grift <dominick.grift@xxxxxxxxx> > Date: Tue, 10 Apr 2012 16:41:45 > To: Dark Sinclair<darksinclair@xxxxxxxxx> > Cc: <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6 > > On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote: > > Greetings all, > > > > I've set up a simple apache webserver with cgi-script executing > > python code on RHEL6. With selinux disabled, the script returns > > output fine to a browser but with selinux enforced I receive a 500 > > Internal Server error and permission denied in ssl_error_log with > > nothing logged to audit.log even though don't audit rules is disabled. > > audit2allow -a -l is clean as well. I am able to successfully > > execute the script on the command line under apache's context httpd_t, > > so it's only when returning the content to the browser that the 500 > > Internal Server error occurs. Anyone have any idea to help > > troubleshoot? > > You should really see AVC denials when you build the policy.db with the > dontaudit rules removed (semodule -DB) > > Maybe you've overlooked them? > > > Pertinent information below, any help is greatly appreciated. > > > > Thanks in advance, > > > > > > >> ssl_error_log when accessing through the browser: > > [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of > > '/var/www/cgi-bin/index.py' failed > > [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py > > > > > > >> Apache is running under context httpd_t: > > # /bin/ps axZ | grep http > > unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd > > unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd > > > > > > >> Able to execute the script successfully under apache with context httpd_t: > > # sudo -u apache -t httpd_t ./index.py > > That test does not work i believe. > > I tried it myself: > > [dominick@q9000 ~]$ echo '#!/bin/bash' > test.sh > [dominick@q9000 ~]$ echo "exec id -Z" >> test.sh > [dominick@q9000 ~]$ chmod +x test.sh > [dominick@q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > It doesnt actually run in httpd_t some how. > > > Content-Type: text/plain;charset=utf-8 > > > > Hello World! > > > > > > >> sebool's have at least httpd_enable_cgi: > > # getsebool -a | grep http | grep "\-\-> on" > > httpd_builtin_scripting --> on > > httpd_dbus_avahi --> on > > httpd_enable_cgi --> on > > httpd_execmem --> on > > httpd_tty_comm --> on > > httpd_unified --> on > > > > > > >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within: > > # ls -lZd /var/www/ > > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/ > > > > # ls -lZd /var/www/* > > drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0 > > /var/www/cgi-bin > > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html > > > > # ls -lZd /var/www/cgi-bin/* > > -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0 > > /var/www/cgi-bin/index.py > > shot in the dark: what are the mount options > of /var/www/cgi-bin/index.py location? > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
