CGI virtual host & Selinux

General support questions
Post Reply
Ovitus
Posts: 27
Joined: 2018/12/07 16:01:43

CGI virtual host & Selinux

Post by Ovitus » 2019/01/11 18:30:03

Having an issue with a CGI Virtual Host, it only works if I have Selinux in permissive mode. Otherwise I get 500 Internal Server Error and this in my log:

[Fri Jan 11 13:26:25.419842 2019] [cgi:error] [pid 3472] [client 172.28.14.250:56184] AH01215: /bin/bash: /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh: Permission denied
[Fri Jan 11 13:26:25.419865 2019] [cgi:error] [pid 3472] [client 172.28.14.250:56184] End of script output before headers: plutjko.sh

[root@prod conf.d]# cat plutjko.example.com.conf
<VirtualHost *:80>
ServerName plutjko.example.com
ServerAlias www.plutjko.example.com
DocumentRoot /etc/httpd/conf.d/vhosts/plutjko
DirectoryIndex plutjko.sh
</VirtualHost>

<Directory /etc/httpd/conf.d/vhosts/plutjko>
Options ExecCGI
SetHandler cgi-script
</Directory>

[root@prod ~]# ll -Z /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh

[root@prod conf.d]# getsebool -a | grep httpd_enable_cgi
httpd_enable_cgi --> on

Any ideas?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CGI virtual host & Selinux

Post by TrevorH » 2019/01/11 18:41:05

You mv'ed a file from elsewhere into /etc/httpd/conf.d/vhosts and it took the wrong selinux context with it. Next time use mv -Z which sets it correctly depending on the target location. To fix it now, run restorecon -RFv /etc/httpd/conf.d/vhosts
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Ovitus
Posts: 27
Joined: 2018/12/07 16:01:43

Re: CGI virtual host & Selinux

Post by Ovitus » 2019/01/11 19:50:10

I did restorecon on that folder, the new file context shows:

-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh

but still getting the 500 error code.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CGI virtual host & Selinux

Post by TrevorH » 2019/01/12 15:34:58

Wait... you are trying to _execute_ /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh ? Wrong place for cgi files to exist completely.CGI files are designed to live in /var/www/cgi-bin not under /etc/httpd/conf.d/. Your document root should not be in /etc/httpd/conf.d/vhosts/plutjko - that's a directory for config files not for files for the web server to serve.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Ovitus
Posts: 27
Joined: 2018/12/07 16:01:43

Re: CGI virtual host & Selinux

Post by Ovitus » 2019/01/14 21:47:51

I agree, it's not the most logical location.. I moved it to /cgi-script and changed the semanage file context accordingly:

[root@prod /]# ll -Z /cgi-script
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh

Same deal.. can't run my CGI-script with Selinux in enforcing mode, but shows fine in permissive.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: CGI virtual host & Selinux

Post by hunter86_bg » 2019/01/15 05:10:16

Without checking the logs, resolution of the issue will be hard.
As you have narrowed it to SELINUX, install setroubleshoot-server package and then run:

Code: Select all

sealert -a /var/log/audit/audit.log
and paste the output.

Ovitus
Posts: 27
Joined: 2018/12/07 16:01:43

Re: CGI virtual host & Selinux

Post by Ovitus » 2019/01/15 21:23:34

My CGI-script contained lsblk, which SELinux didn't like.

I ran sealert -a /var/log/audit/audit.log:
SELinux is preventing /usr/bin/lsblk from read access on the file
SELinux is preventing /usr/bin/lsblk from getattr access on the file
SELinux is preventing /usr/libexec/colord from getattr access on the file

I put 'free -m' and I can see that.

Post Reply