On Dec 26, 2015, at 8:14 PM, Childs, Riley <[log in to unmask]> wrote: >> How do I modify the permissions of a file under the supervision of SELunix >> so the file can be executed as a CGI script? >> >> I have two CGI scripts designed to do targeted crawls against remote >> hosts. One script uses rsync on port 873 and the other uses wget on port >> 443. I can run these scripts as me without any problems. None. They work >> exactly as expected. But when the scripts are executed from my HTTP server >> and under the user apache both rsync and wget fail. I have traced the >> errors to some sort of permission problems generated from SELinux. >> Specifically, SELinux generates the following errors for the rsync script: >> >> type=AVC msg=audit(1450984068.685:19667): avc: denied { >> name_connect } for pid=11826 comm="rsync" dest=873 >> scontext=unconfined_u:system_r:httpd_sys_script_t:s0 >> tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket >> >> type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e >> syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10 >> a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48 >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 >> tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync" >> subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) >> >> SELinux generates these errors for the wget script: >> >> type=AVC msg=audit(1450984510.396:19715): avc: denied { >> name_connect } for pid=13263 comm="wget" dest=443 >> scontext=unconfined_u:system_r:httpd_sys_script_t:s0 >> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket >> >> type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e >> syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10 >> a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48 >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 >> tty=(none) ses=165 comm="wget" exe="/usr/bin/wget" >> subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) >> >> How do I diagnose these errors? Do I need to use something like chcon to >> change my CGI scripts’ permissions? Maybe I need to use chcon to change >> rsync’s or wget’s permissions? Maybe I need to use something like semanage >> (which doesn’t exist on my system) to change the user apache’s permissions > > SELinux :) Which distro are you running? I am running CentOS release 6.7. —ELM