Permission denied to cgi-script when enforcing selinux on RHEL6

darksinclair at gmail.com darksinclair at gmail.com
Tue Apr 10 14:51:16 UTC 2012


Dominick, thanks.  nosuid on /var was the culprit.  Remounting suid and everything works as normal.

Note:   re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log.  Bug?
Sent from my BlackBerry device on the Rogers Wireless Network

-----Original Message-----
From: Dominick Grift <dominick.grift at gmail.com>
Date: Tue, 10 Apr 2012 16:41:45 
To: Dark Sinclair<darksinclair at gmail.com>
Cc: <selinux at lists.fedoraproject.org>
Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6

On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> Greetings all,
> 
> I've set up a  simple apache webserver with cgi-script executing
> python code on RHEL6.  With selinux disabled, the script returns
> output fine to a browser but with selinux enforced I receive a 500
> Internal Server error and permission denied in ssl_error_log with
> nothing logged to audit.log even though don't audit rules is disabled.
>  audit2allow -a -l is clean as well.  I am able to successfully
> execute the script on the command line under apache's context httpd_t,
> so it's only when returning the content to the browser that the 500
> Internal Server error occurs.  Anyone have any idea to help
> troubleshoot?

You should really see AVC denials when you build the policy.db with the
dontaudit rules removed (semodule -DB)

Maybe you've overlooked them?

> Pertinent information below, any help is greatly appreciated.
> 
> Thanks in advance,
> 
> 
> >> ssl_error_log when accessing through the browser:
> [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> '/var/www/cgi-bin/index.py' failed
> [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
> 
> 
> >> Apache is running under context httpd_t:
> # /bin/ps axZ | grep http
> unconfined_u:system_r:httpd_t:s0 12716 ?       Ss     0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12719 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12720 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12721 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12722 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12723 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12724 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12725 ?       S      0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12726 ?       S      0:00 /usr/sbin/httpd
> 
> 
> >> Able to execute the script successfully under apache with context httpd_t:
> # sudo -u apache -t httpd_t ./index.py

That test does not work i believe.

I tried it myself:

[dominick at q9000 ~]$ echo '#!/bin/bash' > test.sh
[dominick at q9000 ~]$ echo "exec id -Z" >> test.sh
[dominick at q9000 ~]$ chmod +x test.sh
[dominick at q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

It doesnt actually run in httpd_t some how.

> Content-Type: text/plain;charset=utf-8
> 
> Hello World!
> 
> 
> >> sebool's have at least httpd_enable_cgi:
> # getsebool -a | grep http | grep "\-\-> on"
> httpd_builtin_scripting --> on
> httpd_dbus_avahi --> on
> httpd_enable_cgi --> on
> httpd_execmem --> on
> httpd_tty_comm --> on
> httpd_unified --> on
> 
> 
> >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> # ls -lZd /var/www/
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
> 
> # ls -lZd /var/www/*
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
> 
> # ls -lZd /var/www/cgi-bin/*
> -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin/index.py

shot in the dark: what are the mount options
of /var/www/cgi-bin/index.py location?

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux




More information about the selinux mailing list