How do I modify the permissions of a file under the supervision of SELunix so the file can be executed as a CGI script?
I have two CGI scripts designed to do targeted crawls against remote hosts. One script uses rsync on port 873 and the other uses wget on port 443. I can run these scripts as me without any problems. None. They work exactly as expected. But when the scripts are executed from my HTTP server and under the user apache both rsync and wget fail. I have traced the errors to some sort of permission problems generated from SELinux. Specifically, SELinux generates the following errors for the rsync script:
type=AVC msg=audit(1450984068.685:19667): avc: denied {
name_connect } for pid=11826 comm="rsync" dest=873
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e
syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10
a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync"
subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
SELinux generates these errors for the wget script:
type=AVC msg=audit(1450984510.396:19715): avc: denied {
name_connect } for pid=13263 comm="wget" dest=443
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e
syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10
a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=165 comm="wget" exe="/usr/bin/wget"
subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
How do I diagnose these errors? Do I need to use something like chcon to change my CGI scripts’ permissions? Maybe I need to use chcon to change rsync’s or wget’s permissions? Maybe I need to use something like semanage (which doesn’t exist on my system) to change the user apache’s permissions?
This is a level of the operating system of which I am unfamiliar.
—
Eric Lease Morgan
|