[CentOS] selinux denial of cgi script with httpd using ssl
Alexander Dalloz
ad+lists at uni-x.orgMon Sep 4 22:12:33 UTC 2017
- Previous message: [CentOS] selinux denial of cgi script with httpd using ssl
- Next message: [CentOS] selinux denial of cgi script with httpd using ssl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis:
> Thanks for your help.
>
> I did pick up an additional entry in the audit file :
>
>
> type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for
> pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
> ino=537182029 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> Unfortunately, I am not sure how the above tells me what is wrong.
>
> Greg
From above log entry you see that the file object denied to execute
('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type
httpd_sys_content_t.
# semanage fcontext -l | grep '/var/www/cgi-bin'
/var/www/cgi-bin(/.*)? all files
system_u:object_r:httpd_sys_script_exec_t:s0
[ ... ]
The permitted type is httpd_sys_script_exec_t.
`restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon
-t httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'.
Both audit2why and audit2allow suggest to activate a boolean which you
may not want to set as it disables a more fine grained priviledge
separation in the context of httpd actions.
Alexander
- Previous message: [CentOS] selinux denial of cgi script with httpd using ssl
- Next message: [CentOS] selinux denial of cgi script with httpd using ssl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list