Thunderstone Support Forums

I have installed a new server (Red Hat Enterprise Linux Server release 7.3) to move my existing web application too. Now that everything is moved when I try to bring up the main page I get the following error:
“500 Internal Server Error “

And in the log /var/log/httpd\error_log I get:
[cgi:error] [pid 10335] [client 10.20.25.115:49855] End of script output before headers: texis

The default apache site comes up without any issues it is the texis site I get the errors on?

If I change selinux to not enforce the site comes up.

My document root is not the default /var/www and so I did run the following commands to set the selinux permissions:

chcon -Rv --type=httpd_sys_content_t /newdocroot

I also ran this for the cgi-bin area:
chcon --type=httpd_unconfined_script_exec_t /usr2/pub/httpd/cgi-bin

My Apache version:
Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Aug 3 2016 08:33:27

My Texis version:
Texis Web Script (Vortex) Copyright (c) 1996-2004 Thunderstone - EPI, Inc.
Commercial Version 5.00.1086121238 20040601 (i686-unknown-linux2.4.9-64-32)

Since it works with SElinux off I know I must be missing an additional chcon change. Can you help me understand how SElinux needs to be configured to allow texis to run properly?
Thanks

Try that same chcon command, but on the texis executable (or symlink) itself in the CGI dir:

chcon --type=httpd_unconfined_script_exec_t /usr2/pub/httpd/cgi-bin/texis

The install script normally tries to do this itself (but probably only in versions newer than Texis 5.0).

The file was set correctly but I did it again just to make sure and it still doesn't work.
Here is what the file permissions look like

rwsr-xr-x. lken lken unconfined_u:object_r:httpd_unconfined_script_exec_t:s0 texis

Are there any errors from the same time as your Web access attempts to texis? I.e. access it from the web again and check /var/log/messages, secure etc. for messages at the same time.

No those logs and the vortex.log have nothing in them when this error occurs. The only log I find with errors is the httpd/errors_log

Ok also check /var/log/audit/audit.log and anything else the SELinux system might have written to.

here is what the audit.log had in it:

type=AVC msg=audit(1479819508.140:2222): avc: denied { execmem } for pid=13787 comm="texis" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1479819508.140:2222): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=7fbc5e0b63d8 a1=7fbc5e0b7ff8 a2=7fbc5e0b8010 a3=7ffd604ef0c0 items=0 ppid=10384 pid=13787 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="texis" exe="/usr2/pub/httpd/cgi-bin/texis" subj=system_u:system_r:httpd_t:s0 key=(null)

Ok that looks like Texis is trying to execute code in a data-only area of memory. I'm not sure why; could be a third-party library it uses trying to do so.

The workaround is to allow execmem in httpd:

setsebool -P httpd_execmem 1

and restart httpd. Note that this will allow any other httpd process to do so as well.

Is there a way to see what libraries texis is using? This doesn't seem like the best or safest option. I did have to install some 32bit libraries to get texis to install (https://ftp.thunderstone.com/pub/linux/ )

ldd texis will show what it uses at load time, primarily from the system. Additional libraries may be loaded later during run time, depending on what the script is doing, e.g. SSL, JavaScript etc. These libraries should all be in /usr/local/morph3/bin, e.g. libcrypto.so*, libtxjs.so, etc.