From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050301 Firefox/1.0.1 Red Hat/1.0.1-1.4.3.centos4.1 Description of problem: I have system with /var on separate partition (LVM volume), mounted with nosuid flag. Attempt to run scripts in /var/www/cgi-bin results in: kernel: audit(1110558179.124:0): avc: denied { execute_no_trans } for pid=8942 exe=/usr/sbin/httpd path=/var/www/cgi-bin/myprogram.cgi dev=dm-2 ino=432261 scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_sys_script_exec_t tclass=file I've checked value of httpd_enable_cgi boolean, ant it is set to true. # getsebool httpd_enable_cgi httpd_enable_cgi --> active # grep httpd_enable_cgi /etc/selinux/targeted/booleans httpd_enable_cgi=1 File security context is also correct on both the program file and cgi-bin directory: # ls -Za /var/www/cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rwxr-xr-x root root root:object_r:httpd_sys_script_exec_t myprogram.cgi I'm kind of out of ideas what else to do/check. I've attempted installing selinux-policy-targeted-1.17.30-2.86, but got the same behaviour. BTW, this is on RHEL4 clone, however the SRPM package was the same, so the problem should exist on "real" RHEL4 too. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.52.1 How reproducible: Always Steps to Reproduce: 1. Attempt to run CGI programs in /var/www/cgi-bin Additional info:
The nosuid flag prevents domain transitions from occuring. I'm not sure there exist any good fixes besides removing the nosuid flag or disabling enforcement for Apache. You might be able to change the script type to bin_t, but then the script will run as httpd_t.
Thanks Colin. I've been attempting to solve this for couple of days. Mounting partition with suid flag (default) solved the problem. BTW, it might be good idea to include this piece of information in http://fedora.redhat.com/docs/selinux-apache-fc3/ (and related RHEL) documentation.