SELinux settings for a program run either by apache or user?
Colin Walters
walters at redhat.com
Thu Jan 20 16:05:07 UTC 2005
On Thu, 2005-01-20 at 10:47 -0500, Daniel J Walsh wrote:
> This sounds like a bug. A user executing a httpd script should not be
> changing context to httpd_sys_script_t, correct?
There's an explicit rule for this now, in
macros/program/apache_macros.te:
ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
role sysadm_r types httpd_$1_script_t;
', `
# If a user starts a script by hand it gets the proper context
domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
role $1_r types httpd_$1_script_t;
We probably want to just drop this in targeted policy. In strict, we
grant userdomains access to all the derived types such as
httpd_sys_content_t, so not doing the transition (i.e. just changing it
to can_exec, or maybe domain_trans) should allow the CGI script to
continue to work, at first glance. But I have a feeling there was a
particular reason policy has this rule; clearly it was intentional.
I'll think about this for a bit.
More information about the selinux
mailing list