I searched for httpd and apache under the selinux components and couldn't find any results. So I guess this is new. Description of problem: With strict policy selected, httpd cannot run CGIs. Version-Release number of selected component (if applicable): selinux-policy 2.2.40-1.fc5 httpd 2.2.0-5.1.2 How reproducible: Always Steps to Reproduce: 1. In gnome, System > Administration > Security Level and Firewall 2. In the SELinux tab, set SELinux Setting to "Enforcing", click OK 3. Request something like http://localhost/path/to/some/file.cgi 4. tail -n2 /var/log/httpd/error_log Actual results: (13)Permission denied: exec of '/var/www/html/some/file.cgi' failed Premature end of script headers: file.cgi Expected results: The CGI should run fine. Additional info: I did not manually edit the selinux policy. I always have the "SELinux Setting" on Enforcing, and (because I'm lazy and don't want to have to learn about how to configure SELinux :-( ) I use the Security Level Configuration program for tuning the SELinux policy. I usually have the following checked under "HTTPD Service": Allow HTTPD cgi support Allow HTTPD scripts and modules to connect to the network. Allow HTTPD to support build-in scripting Unify HTTPD handling of all content files. Unify HTTPD to communicate with the terminal. According to my Apache logs, the last time I actually ran any CGIs with this computer was on May 15 (really, it was that long?). It worked then. Since then I have not adjusted the SELinux policy or changed the Apache configuration, or the CGIs' permissions. Neither of the last two are the problem: switching the policy to Permissive, or disabling SELinux makes things work as expected. Enabling "Disable SELinux protection for HTTPD" does not seem to do anything. I'd assume that I did something wrong, but I haven't made any changes in a while and it was working but now it is not. (I can't confirm this on any other systems, but I assume this effects all architectures since selinux-policy is platform independent... right?)
Are you seeing AVC messages in your /var/log/messages or /var/log/audit/audit.log file?
In /var/log/messages I see repeated (obviously with different times): May 26 13:33:04 localhost kernel: audit(1148664784.449:11): avc: denied { entrypoint } for pid=2683 comm="httpd" name="gbook.cgi" dev=dm-0 ino=11930847 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file I don't have /var/log/audit
Okay, I was able to test this on a different FC5 system to make sure I didn't screw something up and I got basically the same thing (though this one has /var/log/audit and the avc message was in /var/log/audit/audit.log instead). I get this even with the scripts in cgi-bin.
Fixed in 2.2.43-3.fc5
Thanks :-)