Description of problem: The apache.te file in the selinux targeted policy for FC5 allows for Apache to invoke commands in bin (corecmd_exec_bin) and sbin (corecmd_exec_sbin), but it does not allow shell scripts (corecmd_exec_shell). This means that the back-tick operator in PHP scripts does not work. By default, the back-tick expansion invokes /bin/sh on the script. Version-Release number of selected component (if applicable): This was found on selinux-policy-targeted-2.2.43-4.fc5 on a PPC. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
If you set the httpd_ssi_exec boolean does it fix your problem setsebool -P httpd_ssi_exec=1
Sorry for the delayed response. No, that doesn't fix the problem. That bool was enabled on my system in the first place.
Could you attach the avc messages generated?
The latest system I tried this on is running selinux-policy-targeted 2.3.2, and it no longer exhibits this problem. The only issue I'm seeing now with PHP scripts is the eventpollfs issue: type=AVC msg=audit(1154363527.022:74215): avc: denied { read } for pid=27588 comm="sh" name="[14015870]" dev=eventpollfs ino=14015870 scontext=user_u:system_ r:httpd_sys_script_t:s0 tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file type=SYSCALL msg=audit(1154363527.022:74215): arch=40000003 syscall=11 success=y es exit=0 a0=668f77 a1=bfac8c0c a2=bfacc91c a3=400 items=2 pid=27588 auid=500 ui d=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="s h" exe="/bin/bash" subj=user_u:system_r:httpd_sys_script_t:s0 type=AVC_PATH msg=audit(1154363527.022:74215): path="eventpoll:[14015870]" type=CWD msg=audit(1154363527.022:74215): cwd="/var/www/html/phpwims" type=PATH msg=audit(1154363527.022:74215): item=0 name="/bin/sh" inode=2981976 d ev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_ t:s0 I fixed this by adding gen_require(` type httpd_sys_script_t; ') fs_read_eventpollfs(httpd_sys_script_t) to my local configuration.
Closing bugs