Having an issue with a CGI Virtual Host, it only works if I have Selinux in permissive mode. Otherwise I get 500 Internal Server Error and this in my log:
[Fri Jan 11 13:26:25.419842 2019] [cgi:error] [pid 3472] [client 172.28.14.250:56184] AH01215: /bin/bash: /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh: Permission denied
[Fri Jan 11 13:26:25.419865 2019] [cgi:error] [pid 3472] [client 172.28.14.250:56184] End of script output before headers: plutjko.sh
[root@prod conf.d]# cat plutjko.example.com.conf
<VirtualHost *:80>
ServerName plutjko.example.com
ServerAlias www.plutjko.example.com
DocumentRoot /etc/httpd/conf.d/vhosts/plutjko
DirectoryIndex plutjko.sh
</VirtualHost>
<Directory /etc/httpd/conf.d/vhosts/plutjko>
Options ExecCGI
SetHandler cgi-script
</Directory>
[root@prod ~]# ll -Z /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh
[root@prod conf.d]# getsebool -a | grep httpd_enable_cgi
httpd_enable_cgi --> on
Any ideas?
CGI virtual host & Selinux
Re: CGI virtual host & Selinux
You mv'ed a file from elsewhere into /etc/httpd/conf.d/vhosts and it took the wrong selinux context with it. Next time use mv -Z which sets it correctly depending on the target location. To fix it now, run restorecon -RFv /etc/httpd/conf.d/vhosts
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CGI virtual host & Selinux
I did restorecon on that folder, the new file context shows:
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh
but still getting the 500 error code.
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh
but still getting the 500 error code.
Re: CGI virtual host & Selinux
Wait... you are trying to _execute_ /etc/httpd/conf.d/vhosts/plutjko/plutjko.sh ? Wrong place for cgi files to exist completely.CGI files are designed to live in /var/www/cgi-bin not under /etc/httpd/conf.d/. Your document root should not be in /etc/httpd/conf.d/vhosts/plutjko - that's a directory for config files not for files for the web server to serve.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CGI virtual host & Selinux
I agree, it's not the most logical location.. I moved it to /cgi-script and changed the semanage file context accordingly:
[root@prod /]# ll -Z /cgi-script
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh
Same deal.. can't run my CGI-script with Selinux in enforcing mode, but shows fine in permissive.
[root@prod /]# ll -Z /cgi-script
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 plutjko.sh
Same deal.. can't run my CGI-script with Selinux in enforcing mode, but shows fine in permissive.
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: CGI virtual host & Selinux
Without checking the logs, resolution of the issue will be hard.
As you have narrowed it to SELINUX, install setroubleshoot-server package and then run:
and paste the output.
As you have narrowed it to SELINUX, install setroubleshoot-server package and then run:
Code: Select all
sealert -a /var/log/audit/audit.log
Re: CGI virtual host & Selinux
My CGI-script contained lsblk, which SELinux didn't like.
I ran sealert -a /var/log/audit/audit.log:
SELinux is preventing /usr/bin/lsblk from read access on the file
SELinux is preventing /usr/bin/lsblk from getattr access on the file
SELinux is preventing /usr/libexec/colord from getattr access on the file
I put 'free -m' and I can see that.
I ran sealert -a /var/log/audit/audit.log:
SELinux is preventing /usr/bin/lsblk from read access on the file
SELinux is preventing /usr/bin/lsblk from getattr access on the file
SELinux is preventing /usr/libexec/colord from getattr access on the file
I put 'free -m' and I can see that.