SELinux Permission Denied Python3.3 CentOS 6.5

Question

I am having a tough time with this one. I am trying to get my GIT repo over Apache and I am running into errors that seem to be related to SELinux. I am new to SELinux. I need help deciphering the output in the audit log. I seen the suggestion to set SELinux to permissive mode to capture the errors and then run it though a command to build a SELinux profile for this operation. I need assistance in constructing the command from the output. My Apache Server is calling a python CGI script. Here is the audit log output:

    type=AVC msg=audit(1424300724.345:67): avc:  denied  { execute } for  pid=2306 comm="python3.3" path=2F746D702F666669316F59336968202864656C6574656429 dev=dm-0 ino=266176 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=SYSCALL msg=audit(1424300724.345:67): arch=c000003e syscall=9 success=yes exit=140223631540224 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2303 pid=2306 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="python3.3" exe="/usr/local/bin/python3.3" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

score 0 · Answer 1 · answered Feb 27 '15 at 09:34

I am also new to SELinux however, I have learned that for CGI scripts, your files need to have their TYPE attribute set to httpd_sys_script_exec_t ~ see this link

You can use the semanage fcontext command to set the CGI scripts with the type required. semanage link

I believe that you would run something like this:

semanage fcontext -a -t httpd_sys_script_exec_t  "file.py"

Please check the manuals for confirmation/clarification of any of the above.

Regards, Victor.

score 0 · Answer 2 · edited May 23 '17 at 12:12

There is two ways i know arround the issue if the first don't work try the second one:

The first one: You need to look in the Selinux logs to print all the error related to python:

sudo cat /var/log/audit/audit.log | grep python | grep denied

we are going to use audit2allow to fix the issue. You need to install policycoreutils-python via yum if you don't have it.

And running the following command fixed the issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mypython
sudo semodule -i mynginx.pp

The second one is presented here here.

CHEERS!

SELinux Permission Denied Python3.3 CentOS 6.5

2 Answers2