[CODE4LIB] selinux

Eric Lease Morgan Sat, 26 Dec 2015 17:05:58 -0800

How do I modify the permissions of a file under the supervision of SELunix so 
the file can be executed as a CGI script?


I have two CGI scripts designed to do targeted crawls against remote hosts. One 
script uses rsync on port 873 and the other uses wget on port 443. I can run 
these scripts as me without any problems. None. They work exactly as expected. 
But when the scripts are executed from my HTTP server and under the user apache 
both rsync and wget fail. I have traced the errors to some sort of permission 
problems generated from SELinux. Specifically, SELinux generates the following 
errors for the rsync script:

  type=AVC msg=audit(1450984068.685:19667): avc:  denied  {
  name_connect } for  pid=11826 comm="rsync" dest=873
  scontext=unconfined_u:system_r:httpd_sys_script_t:s0
  tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket

  type=SYSCALL msg=audit(1450984068.685:19667): arch=c000003e
  syscall=42 success=no exit=-13 a0=3 a1=1b3c030 a2=10
  a3=7fffb057acc0 items=0 ppid=11824 pid=11826 auid=500 uid=48
  gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
  tty=(none) ses=165 comm="rsync" exe="/usr/bin/rsync"
  subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

SELinux generates these errors for the wget script:

  type=AVC msg=audit(1450984510.396:19715): avc:  denied  {
  name_connect } for  pid=13263 comm="wget" dest=443
  scontext=unconfined_u:system_r:httpd_sys_script_t:s0
  tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

  type=SYSCALL msg=audit(1450984510.396:19715): arch=c000003e
  syscall=42 success=no exit=-13 a0=4 a1=7ffe1d05b890 a2=10
  a3=7ffe1d05b4f0 items=0 ppid=13219 pid=13263 auid=500 uid=48
  gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
  tty=(none) ses=165 comm="wget" exe="/usr/bin/wget"
  subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

How do I diagnose these errors? Do I need to use something like chcon to change 
my CGI scripts’ permissions? Maybe I need to use chcon to change rsync’s or 
wget’s permissions? Maybe I need to use something like semanage (which doesn’t 
exist on my system) to change the user apache’s permissions?

This is a level of the operating system of which I am unfamiliar. 

— 
Eric Lease Morgan

[CODE4LIB] selinux

Reply via email to