Or, more precisely, we have a std. directory, which is bind mounted, and which was set with semanage fcontext -a -e /var/www /actual/path/htdocs, and a file in <directory>/htdocs/<site>/cgi-bin/sub>/<sub?file
-rw-rw-r--. apache imagej unconfined_u:object_r:httpd_sys_script_exec_t:s0
is the file's info. From the names, I'm guessing some .cgi is writing a count to it.
What *should* it be?
mark
Not sure if you realize, but you didn't actually include any information about the denial you are receiving. It's kind of tough to guess at what it might be.
- J<
Jason L Tibbitts III wrote:
Not sure if you realize, but you didn't actually include any information about the denial you are receiving. It's kind of tough to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file... Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context unconfined_u:object_r:httpd_sys_script_exec_t:s0 Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch Raw Audit Messages type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
mark
On Thu, 14 Jun 2018 14:21:26 -0400 m.roth@5-cent.us wrote:
Jason L Tibbitts III wrote:
Not sure if you realize, but you didn't actually include any information about the denial you are receiving. It's kind of tough to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file... Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context unconfined_u:object_r:httpd_sys_script_exec_t:s0 Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch Raw Audit Messages type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
The file you want to write to should probably be httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.
Paul.
On 06/15/2018 12:13 PM, Paul Howarth wrote:
On Thu, 14 Jun 2018 14:21:26 -0400 m.roth@5-cent.us wrote:
Jason L Tibbitts III wrote:
Not sure if you realize, but you didn't actually include any information about the denial you are receiving. It's kind of tough to guess at what it might be.
SELinux is preventing Count.cgi from write access on the file... Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context unconfined_u:object_r:httpd_sys_script_exec_t:s0 Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch Raw Audit Messages type=AVC msg=audit(1528998541.365:53668): avc: denied { write } for pid= <snip> scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file
Better?
The file you want to write to should probably be httpd_sys_rw_content_t rather than httpd_sys_script_exec_t.
Agree with Paul, however should be file you want to write be executed as cgi-bin script?
Lukas.
Paul. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
selinux@lists.fedoraproject.org
-
Jason L Tibbitts III -
Lukas Vrabec -
m.roth@5-cent.us -
Paul Howarth