How to set SELinux to allow CGI script to create a file

kamae

1/24/23, 12:11 AM

I'm writing a CGI for httpd on CentOS 7, which create and write files on a directory under home. When I enable SELinux, it causes Internal Server Error. How can I setup SELinux?

The command sudo ausearch -m AVC,USER_AVC -ts recent shows an error below.

time->Fri Sep 24 09:03:23 2021
type=PROCTITLE msg=audit(1632441803.684:10739412): proctitle=2F7573722F62696E2F707974686F6E330075706C6F61642E636769
type=SYSCALL msg=audit(1632441803.684:10739412): arch=c000003e syscall=2 success=no exit=-13 a0=7f69aa9978c0 a1=a00c2 a2=180 a3=3 items=0 ppid=12020 pid=5135 auid=4294967295 uid=1018 gid=1018 euid=1018 suid=1018 fsuid=1018 egid=1018 sgid=1018 fsgid=1018 tty=(none) ses=4294967295 comm="upload.cgi" exe="/usr/bin/python3.6" subj=system_u:system_r:httpd_user_script_t:s0 key=(null)
type=AVC msg=audit(1632441803.684:10739412): avc:  denied  { add_name } for  pid=5135 comm="upload.cgi" name="16r3sq_k" scontext=system_u:system_r:httpd_user_script_t:s0 tcontext=unconfined_u:object_r:httpd_user_script_exec_t:s0 tclass=dir permissive=0

The context of the directory is set as below.

$ ls -ldZ uploaded
drwxrwxr-x. user user unconfined_u:object_r:httpd_user_rw_content_t:s0 uploaded

140

0 + 0

httpd

selinux

Michael Hampton

1/24/23, 12:51 AM

Your program `upload.cgi` is trying to create a file named `16r3sq_k` in some directory. The logs don't say which directory. What directory is this?

kamae

1/24/23, 9:04 AM

@MichaelHampton The directory is `~/public_html/uploaded/`. I set `httpd_user_rw_content_t` for the directory but I'm not sure this is the right context settings.

Michael Hampton

1/24/23, 2:26 PM

SELinux is very insistent that a web server or processes it spawns cannot write to user home directories (only read is permitted). Place your web site in an appropriate place in the filesystem which SELinux recognizes, e.g. `/srv/www/myappname`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to set SELinux to allow CGI script to create a file

TH: วิธีตั้งค่า SELinux ให้สคริปต์ CGI สร้างไฟล์

RO: Cum să setați SELinux pentru a permite script-ului CGI să creeze un fișier

RU: Как настроить SELinux, чтобы сценарий CGI мог создавать файл

VI: Cách đặt SELinux để cho phép tập lệnh CGI tạo tệp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.