Find the answer to your Linux question:
Results 1 to 3 of 3
I run Fedora 9 with with Apache and Perl. When I got to http://mywebsite/cgi-bin/pb.cgi , it doesn't work properly. My script uses curl to access a website, and it works, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2008
    Posts
    2

    SELinux not allowing my Perl CGI full access?


    I run Fedora 9 with with Apache and Perl. When I got to http://mywebsite/cgi-bin/pb.cgi, it doesn't work properly. My script uses curl to access a website, and it works, but when I look at it from localhost, it only outputs statements like print "test"; My curl doesn't output, and I don't think it is running. SELinux is causing the problem. It issues 3 denials every time I run the script. Here is what it says:

    SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.

    that one is stupid because i have httpd_unified ON!

    SELinux is preventing pb.cgi (httpd_sys_script_t) "create" to <Unknown> (httpd_sys_script_t). SELinux denied access requested by pb.cgi. It is not expected that this access is required by pb.cgi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

    SELinux is preventing pb.cgi (httpd_sys_script_t) "getsched" to <Unknown> (httpd_sys_script_t).

    I don't get what those mean! I know my script is trying to write to a cookie file, and I don't know how to let it do that, but I don't know what the other ones mean. If you need me to post my script, I will.

  2. #2
    Just Joined!
    Join Date
    Sep 2008
    Location
    Earth
    Posts
    51
    have you looked into using audit2allow to create a .te file from /var/log/messages. Its something like...

    audit2allow -M "any-name" < /var/log/messages
    This will read your messages file and make a .te to resolve the issue in most cases. The .te file is asci so you can read it once you run the command . When this is done you will need to run checkpolicy to create the mod file, then push the config to selinux to make it active as a moduel via the command semodule. I ran by a really good link explaining this a while back, I will search and link it here.

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Location
    Earth
    Posts
    51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •