Bug 197473
Summary: | selinux policy for apache denies shell commands via PHP | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Carl Roth <roth> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-28 20:04:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Carl Roth
2006-07-02 18:04:05 UTC
If you set the httpd_ssi_exec boolean does it fix your problem setsebool -P httpd_ssi_exec=1 Sorry for the delayed response. No, that doesn't fix the problem. That bool was enabled on my system in the first place. Could you attach the avc messages generated? The latest system I tried this on is running selinux-policy-targeted 2.3.2, and it no longer exhibits this problem. The only issue I'm seeing now with PHP scripts is the eventpollfs issue: type=AVC msg=audit(1154363527.022:74215): avc: denied { read } for pid=27588 comm="sh" name="[14015870]" dev=eventpollfs ino=14015870 scontext=user_u:system_ r:httpd_sys_script_t:s0 tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file type=SYSCALL msg=audit(1154363527.022:74215): arch=40000003 syscall=11 success=y es exit=0 a0=668f77 a1=bfac8c0c a2=bfacc91c a3=400 items=2 pid=27588 auid=500 ui d=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="s h" exe="/bin/bash" subj=user_u:system_r:httpd_sys_script_t:s0 type=AVC_PATH msg=audit(1154363527.022:74215): path="eventpoll:[14015870]" type=CWD msg=audit(1154363527.022:74215): cwd="/var/www/html/phpwims" type=PATH msg=audit(1154363527.022:74215): item=0 name="/bin/sh" inode=2981976 d ev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_ t:s0 I fixed this by adding gen_require(` type httpd_sys_script_t; ') fs_read_eventpollfs(httpd_sys_script_t) to my local configuration. Closing bugs |