Permission denied to cgi-script when enforcing selinux on RHEL6
Dominick Grift
dominick.grift at gmail.com
Tue Apr 10 14:41:45 UTC 2012
On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> Greetings all,
>
> I've set up a simple apache webserver with cgi-script executing
> python code on RHEL6. With selinux disabled, the script returns
> output fine to a browser but with selinux enforced I receive a 500
> Internal Server error and permission denied in ssl_error_log with
> nothing logged to audit.log even though don't audit rules is disabled.
> audit2allow -a -l is clean as well. I am able to successfully
> execute the script on the command line under apache's context httpd_t,
> so it's only when returning the content to the browser that the 500
> Internal Server error occurs. Anyone have any idea to help
> troubleshoot?
You should really see AVC denials when you build the policy.db with the
dontaudit rules removed (semodule -DB)
Maybe you've overlooked them?
> Pertinent information below, any help is greatly appreciated.
>
> Thanks in advance,
>
>
> >> ssl_error_log when accessing through the browser:
> [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> '/var/www/cgi-bin/index.py' failed
> [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
>
>
> >> Apache is running under context httpd_t:
> # /bin/ps axZ | grep http
> unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd
>
>
> >> Able to execute the script successfully under apache with context httpd_t:
> # sudo -u apache -t httpd_t ./index.py
That test does not work i believe.
I tried it myself:
[dominick at q9000 ~]$ echo '#!/bin/bash' > test.sh
[dominick at q9000 ~]$ echo "exec id -Z" >> test.sh
[dominick at q9000 ~]$ chmod +x test.sh
[dominick at q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
It doesnt actually run in httpd_t some how.
> Content-Type: text/plain;charset=utf-8
>
> Hello World!
>
>
> >> sebool's have at least httpd_enable_cgi:
> # getsebool -a | grep http | grep "\-\-> on"
> httpd_builtin_scripting --> on
> httpd_dbus_avahi --> on
> httpd_enable_cgi --> on
> httpd_execmem --> on
> httpd_tty_comm --> on
> httpd_unified --> on
>
>
> >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> # ls -lZd /var/www/
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
>
> # ls -lZd /var/www/*
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
>
> # ls -lZd /var/www/cgi-bin/*
> -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin/index.py
shot in the dark: what are the mount options
of /var/www/cgi-bin/index.py location?
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list