Bug 155716 - RFE: SELinux boolean to disable suexec
RFE: SELinux boolean to disable suexec
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-22 10:53 EDT by Joe Orton
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.23.12-5
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-13 16:05:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Orton 2005-04-22 10:53:25 EDT
Description of problem:
It would be really useful if there was a boolean which allowed users to enable
or disable suexec access from httpd.  Currently there's no way to turn this on
or off globally otherwise.

It should default to "on" to maintain current behaviour.
Comment 2 Daniel Walsh 2005-04-22 13:33:50 EDT
Do you want this separate from httpd_enable_cgi?

We also added httpd_allow_builtin_scriptin.

Dan
Comment 4 Joe Orton 2005-04-25 08:23:01 EDT
Separate from httpd_enable_cgi: yes.  What does httpd_allow_builtin_scripting
do?  Control the "PHP scripts doing random stuff in random places" policy?
Comment 6 Daniel Walsh 2005-04-25 11:51:58 EDT
httpd_allow_buildin_scripting stop build in PHP from working.

if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting
ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
}

Comment 8 Daniel Walsh 2005-04-25 12:00:28 EDT
You can remove httpd_suexec_exec_t from 
/usr/sbin/suexec

And get the same effect.  

chcon -t sbin_t /usr/sbin/suexec

Dan
Comment 9 Joe Orton 2005-04-25 12:44:56 EDT
But that context change would not persist across an upgrade of the httpd
package, right?  That can already be achieved using just "chmod 000"; but we
want a solution which is *persistent* across upgrades.
Comment 10 Daniel Walsh 2005-04-25 13:55:00 EDT
Ok you beaten me into submission. 

selinux-policy-*-1.23.12-5 has 

httpd_suexec_disable_trans



Note You need to log in before you can comment on or make changes to this bug.