redhat Apache fast-cgi selinux permissions
Posted
by
Alejo JM
on Server Fault
See other posts from Server Fault
or by Alejo JM
Published on 2012-09-07T21:15:38Z
Indexed on
2012/09/07
21:40 UTC
Read the original article
Hit count: 370
My apache installation is running php as fastcgi, and the virtual
hosts are pointing to /home/*/public_html.
and the fastcgi are home/*/cgi-bin/php.fcgi
the public_html setup with selinux was:
/usr/sbin/setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/someuser/public_html
The owner and group are the user, for example the user "someuser":
ls -all /home/someuser/cgi-bin/
drwxr-xr-x 2 someuser someuser 4096 Sep 7 13:14 .
drwx--x--x 6 someuser someuser 4096 Sep 6 18:17 ..
-rwxr-xr-x 1 someuser someuser 308 Sep 7 13:14 php.fcgi
ls -all /home/someuser/public_html/ | greep info.php
-rw-r--r-- 1 someuser someuser 24 Sep 3 16:24 info.php
When is visits the site I get "Forbidden ..." and the log said:
[Fri Sep 07 12:02:51 2012] [error] [client x.x.x.x] (13)Permission denied: access to /cgi-bin/php.fcgi/info.php denied
My selinux conf is:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
So I kill Selinux (SELINUX=disabled), reboot the system and everything works !!!!!
The problem is Selinux, I don't want disable Selinux. I trying this with no success:
setsebool -P httpd_enable_cgi 1
chcon -t httpd_sys_script_exec_t /home/someuser/cgi-bin/php.fcgi
chcon -R -t httpd_sys_content_t /home/someuser/cgi-bin
Or maybe is better change Selinux
SELINUX=enforcing to SELINUX=permissive
And disable selinux for httpd ?
(I think I better find the correct configuration)
Thanks for any suggestion on this matter
My environment:
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
Server version: Apache/2.2.3
PHP 5.1.6 (cli) (built: Jun 22 2012 06:20:25)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies
Some logs:
ps -ZC httpd
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t 2822 ? 00:00:00 httpd
system_u:system_r:httpd_t 2823 ? 00:00:00 httpd
system_u:system_r:httpd_t 2824 ? 00:00:00 httpd
system_u:system_r:httpd_t 2825 ? 00:00:00 httpd
system_u:system_r:httpd_t 2826 ? 00:00:00 httpd
system_u:system_r:httpd_t 2836 ? 00:00:00 httpd
system_u:system_r:httpd_t 2837 ? 00:00:00 httpd
system_u:system_r:httpd_t 2838 ? 00:00:00 httpd
system_u:system_r:httpd_t 2839 ? 00:00:00 httpd
system_u:system_r:httpd_t 2840 ? 00:00:00 httpd
getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
© Server Fault or respective owner
