Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" ino=537182029 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the above tells me what is wrong.
Greg
-----Original Message-----From: Clint Dilks clintd@scms.waikato.ac.nz Reply-to: CentOS mailing list centos@centos.org To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] selinux denial of cgi script with httpd using ssl Date: Tue, 5 Sep 2017 09:38:27 +1200
HI,
Try disabling Don't Audit rules
semodule -DB
Then check /var/log/audit.log
To re-enable
semodule -B
On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis PoMec@pomec.net wrote:
Everyone,
I am trying to use a cgi perl script for a CentOs 7 website that works fine with selinux in permissive mode but fails with selinux in enforcing mode.
The problem I have is that I can not find where the selinux error message is being recorded.
It does not appear to be in the /var/log/messages or /var/log/audit/audit.log. I do not get any /var/log/httpd/ssl_error_log entries. I do get a successful entry into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is in permissive mode, but not when selinux is in enforcing mode.
The only place I can see that I am getting an error message is in the /var/log/httpd/error_log which is as follows :
Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client x.x.x.x:55748] AH01215: (13)Permission denied: exec of '/var/www/cgi-bin/name.of.script.cgi' failed, referer: https://name.domain.com/
When selinux is in permissive mode the above error does not occur and the script works fine. When selinux is in enforcing mode the above error occurs, and the cgi script fails to execute.
Is there a way to increase the sensitivity of selinux loging, or is there a different place to look for the error that prevents the execution of the script.
Your help would be appreciated.
Thanks,
Greg Ennis
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos