Bug 155716
Summary: | RFE: SELinux boolean to disable suexec | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joe Orton <jorton> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | gajownik |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.23.12-5 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-08-13 20:05:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joe Orton
2005-04-22 14:53:25 UTC
Do you want this separate from httpd_enable_cgi? We also added httpd_allow_builtin_scriptin. Dan Separate from httpd_enable_cgi: yes. What does httpd_allow_builtin_scripting do? Control the "PHP scripts doing random stuff in random places" policy? httpd_allow_buildin_scripting stop build in PHP from working. if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) create_dir_file(httpd_t, httpdcontent) } if (httpd_builtin_scripting) { r_dir_file(httpd_t, httpd_$1_script_ro_t) create_dir_file(httpd_t, httpd_$1_script_rw_t) ra_dir_file(httpd_t, httpd_$1_script_ra_t) } You can remove httpd_suexec_exec_t from /usr/sbin/suexec And get the same effect. chcon -t sbin_t /usr/sbin/suexec Dan But that context change would not persist across an upgrade of the httpd package, right? That can already be achieved using just "chmod 000"; but we want a solution which is *persistent* across upgrades. Ok you beaten me into submission. selinux-policy-*-1.23.12-5 has httpd_suexec_disable_trans |