On Sun, 2006-05-28 at 10:58 +0100, Paul Howarth wrote:
On Sun, 2006-05-28 at 12:43 +0300, Jouni Viikari wrote:
> I have the same problem:
>
> type=AVC msg=audit(1148808793.986:30189): avc: denied { execute } for
> pid=18644 comm="httpd" name="bash" dev=dm-0 ino=3440979
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
>
> Not sure which update started it. Script complaining now used to work
> before on FC5.
>
> # getsebool -a | grep http
> allow_httpd_anon_write --> off
> allow_httpd_sys_script_anon_write --> off
> httpd_builtin_scripting --> on
> httpd_can_network_connect --> on
> httpd_can_network_connect_db --> off
> httpd_can_network_relay --> off
> httpd_disable_trans --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> on
> httpd_ssi_exec --> off
> httpd_suexec_disable_trans --> off
> httpd_tty_comm --> off
> httpd_unified --> off
>
> # rpm -qa | grep -i policy
> selinux-policy-targeted-2.2.40-1.fc5
> checkpolicy-1.30.3-1.fc5
> policycoreutils-1.30.8-1.fc5
> selinux-policy-2.2.40-1.fc5
What's the context of the actual script?
Paul.
It is a php-script doing basically ugly 'system("cat xyz");'
#ls -Z
system_u:object_r:httpd_sys_content_t
This is just a testing_something.php where I happened to notice a change
in a behavior.
Jouni