Permission denied to cgi-script when enforcing selinux on RHEL6

Dark Sinclair darksinclair at gmail.com
Tue Apr 10 13:59:10 UTC 2012


Greetings all,

I've set up a  simple apache webserver with cgi-script executing
python code on RHEL6.  With selinux disabled, the script returns
output fine to a browser but with selinux enforced I receive a 500
Internal Server error and permission denied in ssl_error_log with
nothing logged to audit.log even though don't audit rules is disabled.
 audit2allow -a -l is clean as well.  I am able to successfully
execute the script on the command line under apache's context httpd_t,
so it's only when returning the content to the browser that the 500
Internal Server error occurs.  Anyone have any idea to help
troubleshoot?

Pertinent information below, any help is greatly appreciated.

Thanks in advance,


>> ssl_error_log when accessing through the browser:
[Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
'/var/www/cgi-bin/index.py' failed
[Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py


>> Apache is running under context httpd_t:
# /bin/ps axZ | grep http
unconfined_u:system_r:httpd_t:s0 12716 ?       Ss     0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12719 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12720 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12721 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12722 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12723 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12724 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12725 ?       S      0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12726 ?       S      0:00 /usr/sbin/httpd


>> Able to execute the script successfully under apache with context httpd_t:
# sudo -u apache -t httpd_t ./index.py
Content-Type: text/plain;charset=utf-8

Hello World!


>> sebool's have at least httpd_enable_cgi:
# getsebool -a | grep http | grep "\-\-> on"
httpd_builtin_scripting --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_execmem --> on
httpd_tty_comm --> on
httpd_unified --> on


>> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
# ls -lZd /var/www/
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/

# ls -lZd /var/www/*
drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html

# ls -lZd /var/www/cgi-bin/*
-rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin/index.py


More information about the selinux mailing list