Permission denied to cgi-script when enforcing selinux on RHEL6

Dominick Grift dominick.grift at gmail.com
Tue Apr 10 14:54:59 UTC 2012


On Tue, 2012-04-10 at 14:51 +0000, darksinclair at gmail.com wrote:
> Dominick, thanks.  nosuid on /var was the culprit.  Remounting suid and everything works as normal.
> 
> Note:   re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log.  Bug?
> Sent from my BlackBerry device on the Rogers Wireless Network

I would expect to see atleast some AVC denials yes (for example
rlimitinh noatsecure etc) Hard to tell for me from a distance.

> -----Original Message-----
> From: Dominick Grift <dominick.grift at gmail.com>
> Date: Tue, 10 Apr 2012 16:41:45 
> To: Dark Sinclair<darksinclair at gmail.com>
> Cc: <selinux at lists.fedoraproject.org>
> Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6
> 
> On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> > Greetings all,
> > 
> > I've set up a  simple apache webserver with cgi-script executing
> > python code on RHEL6.  With selinux disabled, the script returns
> > output fine to a browser but with selinux enforced I receive a 500
> > Internal Server error and permission denied in ssl_error_log with
> > nothing logged to audit.log even though don't audit rules is disabled.
> >  audit2allow -a -l is clean as well.  I am able to successfully
> > execute the script on the command line under apache's context httpd_t,
> > so it's only when returning the content to the browser that the 500
> > Internal Server error occurs.  Anyone have any idea to help
> > troubleshoot?
> 
> You should really see AVC denials when you build the policy.db with the
> dontaudit rules removed (semodule -DB)
> 
> Maybe you've overlooked them?
> 
> > Pertinent information below, any help is greatly appreciated.
> > 
> > Thanks in advance,
> > 
> > 
> > >> ssl_error_log when accessing through the browser:
> > [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> > '/var/www/cgi-bin/index.py' failed
> > [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
> > 
> > 
> > >> Apache is running under context httpd_t:
> > # /bin/ps axZ | grep http
> > unconfined_u:system_r:httpd_t:s0 12716 ?       Ss     0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12719 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12720 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12721 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12722 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12723 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12724 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12725 ?       S      0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12726 ?       S      0:00 /usr/sbin/httpd
> > 
> > 
> > >> Able to execute the script successfully under apache with context httpd_t:
> > # sudo -u apache -t httpd_t ./index.py
> 
> That test does not work i believe.
> 
> I tried it myself:
> 
> [dominick at q9000 ~]$ echo '#!/bin/bash' > test.sh
> [dominick at q9000 ~]$ echo "exec id -Z" >> test.sh
> [dominick at q9000 ~]$ chmod +x test.sh
> [dominick at q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> It doesnt actually run in httpd_t some how.
> 
> > Content-Type: text/plain;charset=utf-8
> > 
> > Hello World!
> > 
> > 
> > >> sebool's have at least httpd_enable_cgi:
> > # getsebool -a | grep http | grep "\-\-> on"
> > httpd_builtin_scripting --> on
> > httpd_dbus_avahi --> on
> > httpd_enable_cgi --> on
> > httpd_execmem --> on
> > httpd_tty_comm --> on
> > httpd_unified --> on
> > 
> > 
> > >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> > # ls -lZd /var/www/
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
> > 
> > # ls -lZd /var/www/*
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> > /var/www/cgi-bin
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
> > 
> > # ls -lZd /var/www/cgi-bin/*
> > -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> > /var/www/cgi-bin/index.py
> 
> shot in the dark: what are the mount options
> of /var/www/cgi-bin/index.py location?
> 
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 




More information about the selinux mailing list