LISTSERV 16.5 - CODE4LIB Archives

On Dec 26, 2015, at 8:14 PM, Childs, Riley <[log in to unmask]> wrote:

>> How do I modify the permissions of a file under the supervision of SELunix
>> so the file can be executed as a CGI script?
>> 
>> I have two CGI scripts designed to do targeted crawls against remote
>> hosts. One script uses rsync on port 873 and the other uses wget on port
>> 443. I can run these scripts as me without any problems. None. They work
>> exactly as expected. But when the scripts are executed from my HTTP server
>> and under the user apache both rsync and wget fail. I have traced the
>> errors to some sort of permission problems generated from SELinux.
>> Specifically, SELinux generates the following errors for the rsync script:
>> 
>>  type=AVC msg=audit(1450984068.685:19667): avc:  denied  {
>>  name_connect } for  pid=11826 comm="rsync" dest=873
>>  scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>>  tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket
>> 
>>  type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e
>>  syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10
>>  a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48
>>  gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>>  tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync"
>>  subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>> 
>> SELinux generates these errors for the wget script:
>> 
>>  type=AVC msg=audit(1450984510.396:19715): avc:  denied  {
>>  name_connect } for  pid=13263 comm="wget" dest=443
>>  scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>>  tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>> 
>>  type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e
>>  syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10
>>  a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48
>>  gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>>  tty=(none) ses=165 comm="wget" exe="/usr/bin/wget"
>>  subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>> 
>> How do I diagnose these errors? Do I need to use something like chcon to
>> change my CGI scripts’ permissions? Maybe I need to use chcon to change
>> rsync’s or wget’s permissions? Maybe I need to use something like semanage
>> (which doesn’t exist on my system) to change the user apache’s permissions
> 
> SELinux :) Which distro are you running?

  I am running CentOS release 6.7. —ELM