Bug 155716

Summary: RFE: SELinux boolean to disable suexec
Product: [Fedora] Fedora Reporter: Joe Orton <jorton>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: gajownik
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.23.12-5 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-13 20:05:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Orton 2005-04-22 14:53:25 UTC
Description of problem:
It would be really useful if there was a boolean which allowed users to enable
or disable suexec access from httpd.  Currently there's no way to turn this on
or off globally otherwise.

It should default to "on" to maintain current behaviour.

Comment 2 Daniel Walsh 2005-04-22 17:33:50 UTC
Do you want this separate from httpd_enable_cgi?

We also added httpd_allow_builtin_scriptin.

Dan

Comment 4 Joe Orton 2005-04-25 12:23:01 UTC
Separate from httpd_enable_cgi: yes.  What does httpd_allow_builtin_scripting
do?  Control the "PHP scripts doing random stuff in random places" policy?


Comment 6 Daniel Walsh 2005-04-25 15:51:58 UTC
httpd_allow_buildin_scripting stop build in PHP from working.

if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting
ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
}



Comment 8 Daniel Walsh 2005-04-25 16:00:28 UTC
You can remove httpd_suexec_exec_t from 
/usr/sbin/suexec

And get the same effect.  

chcon -t sbin_t /usr/sbin/suexec

Dan

Comment 9 Joe Orton 2005-04-25 16:44:56 UTC
But that context change would not persist across an upgrade of the httpd
package, right?  That can already be achieved using just "chmod 000"; but we
want a solution which is *persistent* across upgrades.

Comment 10 Daniel Walsh 2005-04-25 17:55:00 UTC
Ok you beaten me into submission. 

selinux-policy-*-1.23.12-5 has 

httpd_suexec_disable_trans