Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155716 - RFE: SELinux boolean to disable suexec
Summary: RFE: SELinux boolean to disable suexec
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-22 14:53 UTC by Joe Orton
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.23.12-5
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-13 20:05:39 UTC


Attachments (Terms of Use)

Description Joe Orton 2005-04-22 14:53:25 UTC
Description of problem:
It would be really useful if there was a boolean which allowed users to enable
or disable suexec access from httpd.  Currently there's no way to turn this on
or off globally otherwise.

It should default to "on" to maintain current behaviour.

Comment 2 Daniel Walsh 2005-04-22 17:33:50 UTC
Do you want this separate from httpd_enable_cgi?

We also added httpd_allow_builtin_scriptin.

Dan

Comment 4 Joe Orton 2005-04-25 12:23:01 UTC
Separate from httpd_enable_cgi: yes.  What does httpd_allow_builtin_scripting
do?  Control the "PHP scripts doing random stuff in random places" policy?


Comment 6 Daniel Walsh 2005-04-25 15:51:58 UTC
httpd_allow_buildin_scripting stop build in PHP from working.

if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting
ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
}



Comment 8 Daniel Walsh 2005-04-25 16:00:28 UTC
You can remove httpd_suexec_exec_t from 
/usr/sbin/suexec

And get the same effect.  

chcon -t sbin_t /usr/sbin/suexec

Dan

Comment 9 Joe Orton 2005-04-25 16:44:56 UTC
But that context change would not persist across an upgrade of the httpd
package, right?  That can already be achieved using just "chmod 000"; but we
want a solution which is *persistent* across upgrades.

Comment 10 Daniel Walsh 2005-04-25 17:55:00 UTC
Ok you beaten me into submission. 

selinux-policy-*-1.23.12-5 has 

httpd_suexec_disable_trans





Note You need to log in before you can comment on or make changes to this bug.