SELinux, Apache, and CGI

Quick tip: I was getting errors such as

audit(1137791734.344:3): avc: denied { execute_no_trans } for pid=5346
comm="httpd" name="configure" dev=dm-2 ino=49385
scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:httpd_sys_script_exec_t tclass=file

audit(1137795025.582:4): avc: denied { execute_no_trans } for pid=5462
comm="httpd" name="configure" dev=dm-2 ino=49385
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file

in dmesg. I had some CGI scripts labeled first with httpd_sys_script_exec_t, then httpd_sys_content_t; I hoped one of these types would work, but neither did. I kept getting denied for execute_no_trans. But why was I doing execute_no_trans (execute without domain (type) transition) when I think I should have been attempting plain ol’ execute?

Enter nosuid. The partition was mounted nosuid. nosuid prevents SELinux domain transitions. (Thanks to Aleksandar Milivojevic for posting this bug to (I think it was) the Fedora SELinux list where Google found it, and of course to Colin Walters for the answer.) I removed nosuid from the partition and now my CGI scripts work.

For more documentation on all the Apache-related SELinux features, see httpd_selinux(8) on your Fedora system, and also Understanding and Customizing the Apache HTTP SELinux Policy.