Gregory P. Ennis
2017-Sep-04 17:07 UTC
[CentOS] selinux denial of cgi script with httpd using ssl
Everyone, I am trying to use a cgi perl script for a CentOs 7 website that works fine with selinux in permissive mode but fails with selinux in enforcing mode. The problem I have is that I can not find where the selinux error message is being recorded. It does not appear to be in the /var/log/messages or /var/log/audit/audit.log. I do not get any /var/log/httpd/ssl_error_log entries. I do get a successful entry into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is in permissive mode, but not when selinux is in enforcing mode. The only place I can see that I am getting an error message is in the /var/log/httpd/error_log which is as follows : Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client x.x.x.x:55748] AH01215: (13)Permission denied: exec of '/var/www/cgi-bin/name.of.script.cgi' failed, referer: https://name.domain.com/ When selinux is in permissive mode the above error does not occur and the script works fine. When selinux is in enforcing mode the above error occurs, and the cgi script fails to execute. Is there a way to increase the sensitivity of selinux loging, or is there a different place to look for the error that prevents the execution of the script. Your help would be appreciated. Thanks, Greg Ennis
Clint Dilks
2017-Sep-04 21:38 UTC
[CentOS] selinux denial of cgi script with httpd using ssl
HI, Try disabling Don't Audit rules semodule -DB Then check /var/log/audit.log To re-enable semodule -B On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis <PoMec at pomec.net> wrote:> Everyone, > > I am trying to use a cgi perl script for a CentOs 7 website that works > fine with selinux in permissive mode but fails with selinux in enforcing > mode. > > The problem I have is that I can not find where the selinux error > message is being recorded. > > It does not appear to be in the /var/log/messages > or /var/log/audit/audit.log. I do not get > any /var/log/httpd/ssl_error_log entries. I do get a successful entry > into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is > in permissive mode, but not when selinux is in enforcing mode. > > The only place I can see that I am getting an error message is in the > /var/log/httpd/error_log which is as follows : > > Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client > x.x.x.x:55748] AH01215: (13)Permission denied: exec of > '/var/www/cgi-bin/name.of.script.cgi' failed, referer: > https://name.domain.com/ > > When selinux is in permissive mode the above error does not occur and > the script works fine. When selinux is in enforcing mode the above > error occurs, and the cgi script fails to execute. > > Is there a way to increase the sensitivity of selinux loging, or is > there a different place to look for the error that prevents the > execution of the script. > > Your help would be appreciated. > > Thanks, > > Greg Ennis > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Gregory P. Ennis
2017-Sep-04 21:49 UTC
[CentOS] selinux denial of cgi script with httpd using ssl
Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi"
dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the above tells me what is wrong.
Greg
-----Original Message-----From: Clint Dilks <clintd at scms.waikato.ac.nz>
Reply-to: CentOS mailing list <centos at centos.org>
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] selinux denial of cgi script with httpd using ssl
Date: Tue, 5 Sep 2017 09:38:27 +1200
HI,
Try disabling Don't Audit rules
semodule -DB
Then check /var/log/audit.log
To re-enable
semodule -B
On Tue, Sep 5, 2017 at 5:07 AM, Gregory P. Ennis <PoMec at pomec.net>
wrote:
> Everyone,
>
> I am trying to use a cgi perl script for a CentOs 7 website that works
> fine with selinux in permissive mode but fails with selinux in enforcing
> mode.
>
> The problem I have is that I can not find where the selinux error
> message is being recorded.
>
> It does not appear to be in the /var/log/messages
> or /var/log/audit/audit.log. I do not get
> any /var/log/httpd/ssl_error_log entries. I do get a successful entry
> into /var/log/httpd/ssl_access_log and ssl_request_log when selinux is
> in permissive mode, but not when selinux is in enforcing mode.
>
> The only place I can see that I am getting an error message is in the
> /var/log/httpd/error_log which is as follows :
>
> Mon Sep 04 11:40:24.216569 2017] [cgi:error] [pid 2290] [client
> x.x.x.x:55748] AH01215: (13)Permission denied: exec of
> '/var/www/cgi-bin/name.of.script.cgi' failed, referer:
> https://name.domain.com/
>
> When selinux is in permissive mode the above error does not occur and
> the script works fine. When selinux is in enforcing mode the above
> error occurs, and the cgi script fails to execute.
>
> Is there a way to increase the sensitivity of selinux loging, or is
> there a different place to look for the error that prevents the
> execution of the script.
>
> Your help would be appreciated.
>
> Thanks,
>
> Greg Ennis
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos