On 4 September 2017 at 22:49, Gregory P. Ennis <PoMec at pomec.net> wrote: > Thanks for your help. > > I did pick up an additional entry in the audit file : > > > type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for > pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" > ino=537182029 scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file > > Unfortunately, I am not sure how the above tells me what is wrong. > > Odd it was in the don't audit logs, as I think that should be logged normally. Executable scripts should be httpd_sys_script_exec_t rather than httpd_sys_content_t, as the latter is just read only content files rather than something to be executed. The default policy has the cgi-bin directory contents labelled correctly by default though ... Could you please post the output of 'semanage fcontext -lC' ... this will list any local file context modifications. You could try restorecon -Rv /var/www to see if that fixes your labelling, if you've not made any local modifications. If you have made local modifications to set the contents of cgi-bin to httpd_sys_content_t then you should remove those with semanage fcontext -d '/var/www/cgi-bin' or whatever the pattern for the local modification is as that's incorrect labelling. While you're checking selinux configuration do a quick getsebool httpd_enable_cgi ... it's on by default but worth verifying :)