On 4 September 2017 at 22:49, Gregory P. Ennis PoMec@pomec.net wrote:
Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" ino=537182029 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the above tells me what is wrong.
Odd it was in the don't audit logs, as I think that should be logged normally.
Executable scripts should be httpd_sys_script_exec_t rather than httpd_sys_content_t, as the latter is just read only content files rather than something to be executed.
The default policy has the cgi-bin directory contents labelled correctly by default though ...
Could you please post the output of 'semanage fcontext -lC' ... this will list any local file context modifications.
You could try restorecon -Rv /var/www to see if that fixes your labelling, if you've not made any local modifications.
If you have made local modifications to set the contents of cgi-bin to httpd_sys_content_t then you should remove those with semanage fcontext -d '/var/www/cgi-bin' or whatever the pattern for the local modification is as that's incorrect labelling.
While you're checking selinux configuration do a quick getsebool httpd_enable_cgi ... it's on by default but worth verifying :)