LISTSERV 16.5 - CODE4LIB Archives

SELinux :)
Which distro are you running?
On Dec 26, 2015 20:05, "Eric Lease Morgan" <[log in to unmask]> wrote:

> How do I modify the permissions of a file under the supervision of SELunix
> so the file can be executed as a CGI script?
>
> I have two CGI scripts designed to do targeted crawls against remote
> hosts. One script uses rsync on port 873 and the other uses wget on port
> 443. I can run these scripts as me without any problems. None. They work
> exactly as expected. But when the scripts are executed from my HTTP server
> and under the user apache both rsync and wget fail. I have traced the
> errors to some sort of permission problems generated from SELinux.
> Specifically, SELinux generates the following errors for the rsync script:
>
>   type=AVC msg=audit(1450984068.685:19667): avc:  denied  {
>   name_connect } for  pid=11826 comm="rsync" dest=873
>   scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>   tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket
>
>   type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e
>   syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10
>   a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48
>   gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>   tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync"
>   subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>
> SELinux generates these errors for the wget script:
>
>   type=AVC msg=audit(1450984510.396:19715): avc:  denied  {
>   name_connect } for  pid=13263 comm="wget" dest=443
>   scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>   tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>
>   type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e
>   syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10
>   a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48
>   gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>   tty=(none) ses=165 comm="wget" exe="/usr/bin/wget"
>   subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>
> How do I diagnose these errors? Do I need to use something like chcon to
> change my CGI scripts’ permissions? Maybe I need to use chcon to change
> rsync’s or wget’s permissions? Maybe I need to use something like semanage
> (which doesn’t exist on my system) to change the user apache’s permissions?
>
> This is a level of the operating system of which I am unfamiliar.
>
> —
> Eric Lease Morgan
>