Red Hat Bugzilla – Bug 483524
RFE: denial when httpd_enable_cgi Boolean is on, but script is labeled incorrectly
Last modified: 2015-01-04 17:35:51 EST
Description of problem:
When httpd.conf is configured to serve/execute CGI scripts, the httpd_enable_cgi Boolean is on, but the CGI script in question is not labeled correctly, no SELinux denials occur, potentially making it hard to troubleshoot issues.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Edit /etc/httpd/conf/httpd.conf to allow CGI scripts:
* uncomment the "AddHandler cgi-script .cgi" option.
* add "ExecCGI" to the "Options" section of the "<Directory "/var/www/html">" directive.
2. Download the <http://www.stanford.edu/services/web/cgi/examples/printenv.pl> script. Copy the script to /var/www/html/ and add .cgi to the file name: mv printenv.pl printenv.pl.cgi.
3. Change the mode of printenv.pl.cgi: chmod a+x printenv.pl.cgi
4. setsebool httpd_enable_cgi on
5. confirm the type is wrong (httpd_sys_content_t):
$ ls -lZ /var/www/html/printenv.pl.cgi
-rwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/printenv.pl.cgi
6. service httpd start
7. use Firefox to navigate to http://localhost/printenv.pl.cgi
Firefox displays the following error:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log."
No SELinux denial. The following error is logged to /var/log/httpd/error_log
(13)Permission denied: exec of '/var/www/html/printenv.pl.cgi' failed
chcon -t httpd_sys_script_exec_t /path/to/script
Denial occurs when script is labeled with the httpd_sys_script_exec_t type, and the httpd_enable_cgi Boolean is off.
Created attachment 330589 [details]
SELinux denial when script is labeled httpd_sys_script_exec_t, but httpd_enable_cgi Boolean is off
All apache gets is eperm, which tells it to put that message in the log file.
It does not know if this is a DAC Problem or a MAC problem.
Setroubleshoot is supposed to step in an try to help the user.