SELinux :) Which distro are you running? On Dec 26, 2015 20:05, "Eric Lease Morgan" <[log in to unmask]> wrote: > How do I modify the permissions of a file under the supervision of SELunix > so the file can be executed as a CGI script? > > I have two CGI scripts designed to do targeted crawls against remote > hosts. One script uses rsync on port 873 and the other uses wget on port > 443. I can run these scripts as me without any problems. None. They work > exactly as expected. But when the scripts are executed from my HTTP server > and under the user apache both rsync and wget fail. I have traced the > errors to some sort of permission problems generated from SELinux. > Specifically, SELinux generates the following errors for the rsync script: > > type=AVC msg=audit(1450984068.685:19667): avc: denied { > name_connect } for pid=11826 comm="rsync" dest=873 > scontext=unconfined_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket > > type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e > syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10 > a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48 > gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 > tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync" > subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) > > SELinux generates these errors for the wget script: > > type=AVC msg=audit(1450984510.396:19715): avc: denied { > name_connect } for pid=13263 comm="wget" dest=443 > scontext=unconfined_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket > > type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e > syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10 > a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48 > gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 > tty=(none) ses=165 comm="wget" exe="/usr/bin/wget" > subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) > > How do I diagnose these errors? Do I need to use something like chcon to > change my CGI scripts’ permissions? Maybe I need to use chcon to change > rsync’s or wget’s permissions? Maybe I need to use something like semanage > (which doesn’t exist on my system) to change the user apache’s permissions? > > This is a level of the operating system of which I am unfamiliar. > > — > Eric Lease Morgan >