On 4 September 2017 at 23:12, Alexander Dalloz <ad+lists at uni-x.org> wrote: > Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis: > >> Thanks for your help. >> >> I did pick up an additional entry in the audit file : >> >> >> type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for >> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" >> ino=537182029 scontext=system_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file >> >> Unfortunately, I am not sure how the above tells me what is wrong. >> >> Greg >> > > From above log entry you see that the file object denied to execute > ('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type > httpd_sys_content_t. > > # semanage fcontext -l | grep '/var/www/cgi-bin' > /var/www/cgi-bin(/.*)? all files > system_u:object_r:httpd_sys_script_exec_t:s0 > [ ... ] > > The permitted type is httpd_sys_script_exec_t. > > `restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon -t > httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'. > > Both audit2why and audit2allow suggest to activate a boolean which you may > not want to set as it disables a more fine grained priviledge separation in > the context of httpd actions. > > > Don't ever use chcon unless you hate future you or random future team member when they wonder why things break after a relabelling!