If I set selinux permissive, it works, if I set enforce, it silently fails. I've poked around other logs with no avail.
Details
* rhel 7, kvm guest
* fully patched up, ie rhel7.4, kernel 3.10.0-693.21.1.el7.x86_64
* apache, mod_ssl, and mod_authnz_pam configured for basic auth
cgi-script.
- Code: Select all
#!/usr/bin/perl
print "Content-Type: text/html\n\n";
print "<pre>\n";
my @installedPkgs=`/bin/rpm -qa --qf "%{NAME} %{VERSION}\n"`;
print join("",@installedPkgs);
print "</pre>\n";
exit;
Initial selinux audit log gave me this rule to add
- Code: Select all
type=AVC msg=audit(1523330343.585:220): avc: denied { search } for pid=4291 comm="rpm" name="rpm" dev="dm-0" ino=4194378 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
Which I did, which the results in the following .te file
- Code: Select all
module dnsmanager 1.0;
require {
type httpd_sys_script_t;
type rpm_var_lib_t;
class dir search;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t rpm_var_lib_t : dir search;
applying, and subsequent testing still shows the the script works with selinux-permissive, but not with selinux-enforcing.
There is no further logging in either mode, and I'm out of ideas to try next .... anyone ?
I'd appreciate any pointers.
Regards,
