[CentOS] selinux denial of cgi script with httpd using ssl

Gregory P. Ennis PoMec at PoMec.Net
Mon Sep 4 21:49:21 UTC 2017


Thanks for your help.

I did pick up an additional entry in the audit file :


type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Unfortunately, I am not sure how the above tells me what is wrong.

Greg

-----Original Message-----From: Clint Dilks <clintd at scms.waikato.ac.nz>
Reply-to: CentOS mailing list <centos at centos.org>
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] selinux denial of cgi script with httpd using ssl
Date: Tue, 5 Sep 2017 09:38:27 +1200

HI,

Try disabling Don't Audit rules

semodule -DB

Then check /var/log/audit.log

To re-enable

semodule -B






On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis <PoMec at pomec.net> wrote:

> Everyone,
>
> I am trying to use a cgi perl script for a CentOs 7 website that works
> fine with selinux in permissive mode but fails with selinux in enforcing
> mode.
>
> The problem I have is that I can not find where the selinux error
> message is being recorded.
>
> It does not appear to be in the /var/log/messages
> or /var/log/audit/audit.log.  I do not get
> any /var/log/httpd/ssl_error_log entries. I do get a successful entry
> into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is
> in permissive mode, but not when selinux is in enforcing mode.
>
> The only place I can see that I am getting an error message is in the
> /var/log/httpd/error_log which is as follows :
>
> Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client
> x.x.x.x:55748] AH01215: (13)Permission denied: exec of
> '/var/www/cgi-bin/name.of.script.cgi' failed, referer:
> https://name.domain.com/
>
> When selinux is in permissive mode the above error does not occur and
> the script works fine.  When selinux is in enforcing mode the above
> error occurs, and the cgi script fails to execute.
>
> Is there a way to increase the sensitivity of selinux loging, or is
> there a different place to look for the error that prevents the
> execution of the script.
>
> Your help would be appreciated.
>
> Thanks,
>
> Greg Ennis
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list