On Dec 26, 2015, at 8:14 PM, Childs, Riley <[log in to unmask]> wrote:
>> How do I modify the permissions of a file under the supervision of SELunix
>> so the file can be executed as a CGI script?
>>
>> I have two CGI scripts designed to do targeted crawls against remote
>> hosts. One script uses rsync on port 873 and the other uses wget on port
>> 443. I can run these scripts as me without any problems. None. They work
>> exactly as expected. But when the scripts are executed from my HTTP server
>> and under the user apache both rsync and wget fail. I have traced the
>> errors to some sort of permission problems generated from SELinux.
>> Specifically, SELinux generates the following errors for the rsync script:
>>
>> type=AVC msg=audit(1450984068.685:19667): avc: denied {
>> name_connect } for pid=11826 comm="rsync" dest=873
>> scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>> tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket
>>
>> type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e
>> syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10
>> a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48
>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync"
>> subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>>
>> SELinux generates these errors for the wget script:
>>
>> type=AVC msg=audit(1450984510.396:19715): avc: denied {
>> name_connect } for pid=13263 comm="wget" dest=443
>> scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>>
>> type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e
>> syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10
>> a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48
>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=165 comm="wget" exe="/usr/bin/wget"
>> subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>>
>> How do I diagnose these errors? Do I need to use something like chcon to
>> change my CGI scripts’ permissions? Maybe I need to use chcon to change
>> rsync’s or wget’s permissions? Maybe I need to use something like semanage
>> (which doesn’t exist on my system) to change the user apache’s permissions
>
> SELinux :) Which distro are you running?
I am running CentOS release 6.7. —ELM
|