Description of problem: It would be really useful if there was a boolean which allowed users to enable or disable suexec access from httpd. Currently there's no way to turn this on or off globally otherwise. It should default to "on" to maintain current behaviour.
Do you want this separate from httpd_enable_cgi? We also added httpd_allow_builtin_scriptin. Dan
Separate from httpd_enable_cgi: yes. What does httpd_allow_builtin_scripting do? Control the "PHP scripts doing random stuff in random places" policy?
httpd_allow_buildin_scripting stop build in PHP from working. if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) create_dir_file(httpd_t, httpdcontent) } if (httpd_builtin_scripting) { r_dir_file(httpd_t, httpd_$1_script_ro_t) create_dir_file(httpd_t, httpd_$1_script_rw_t) ra_dir_file(httpd_t, httpd_$1_script_ra_t) }
You can remove httpd_suexec_exec_t from /usr/sbin/suexec And get the same effect. chcon -t sbin_t /usr/sbin/suexec Dan
But that context change would not persist across an upgrade of the httpd package, right? That can already be achieved using just "chmod 000"; but we want a solution which is *persistent* across upgrades.
Ok you beaten me into submission. selinux-policy-*-1.23.12-5 has httpd_suexec_disable_trans