[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Selinux & httpd in FC5

From: Jouni Viikari <jouni viikarit com>
To: fedora-selinux-list redhat com
Subject: Selinux & httpd in FC5
Date: Tue, 4 Apr 2006 13:52:21 +0300 (EEST)

Hi,

I just noticed that I was able to run cgi-scripts on apache which type was
bin_t instead of httpd_sys_script_exec_t.  Is this expected nowadays?  I
am using FC5 with the latest updates
(selinux-policy-targeted-2.2.25-3.fc5)

Also this bin_t script was able to read files which were by accident
httpd_sys_script_exec_t type.

My booleans:

# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> on
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> off

BTW, is there a way or tools to find out what e.g. httpd_exec_t program is
allowed to do (and what do the booleans really affect) on currently active
policy?

Best regards,

Jouni

Follow-Ups:
- Re: Selinux & httpd in FC5
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]