On 4 September 2017 at 23:12, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis:
Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" ino=537182029 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the above tells me what is wrong.
Greg
From above log entry you see that the file object denied to execute ('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type httpd_sys_content_t.
# semanage fcontext -l | grep '/var/www/cgi-bin' /var/www/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0 [ ... ]
The permitted type is httpd_sys_script_exec_t.
`restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'.
Both audit2why and audit2allow suggest to activate a boolean which you may not want to set as it disables a more fine grained priviledge separation in the context of httpd actions.
Don't ever use chcon unless you hate future you or random future team member when they wonder why things break after a relabelling!