SELinux does not prevent Apache from running CGI files with incorrect context

Solution Verified - Updated -

Issue

  • If I put the httpd_sys_content_t context to my CGI files (instead of httpd_sys_script_exec_t), I can still run these CGI through my web server. Shouldn't SELinux should prevent Apache from running CGI files without the httpd_sys_script_exec_t context?
$ ps -Zu apache
LABEL                             PID TTY          TIME CMD
unconfined_u:system_r:httpd_t:s0 8487 ?        00:00:00 httpd

$ ls -lZ /var/www/cgi-bin/mycgi_test.sh 
-rwx---r-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/cgi-bin/mycgi_test.sh

Environment

  • Red Hat Enterprise Linux 6.5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content