Selinux & httpd in FC5
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 6 18:34:07 UTC 2006
Jouni Viikari wrote:
> Hi,
>
> I just noticed that I was able to run cgi-scripts on apache which type was
> bin_t instead of httpd_sys_script_exec_t. Is this expected nowadays? I
> am using FC5 with the latest updates
> (selinux-policy-targeted-2.2.25-3.fc5)
>
>
apache is allowed to execute bin_t.
> Also this bin_t script was able to read files which were by accident
> httpd_sys_script_exec_t type.
>
The fact the script was bin_t does not mean that it was running in that
domain.
Basically their is no domain transition happening. Apache runs in
httpd_t, which is allowed to run bin_t. But it will stay in the context
of httpd_t. So when the bin_t labeled application runs
httpd_sys_script_exec_t, from SELinux point of view it is httpd_t
executing httpd_sys_script_exec_t. In this case their will be a
transition to httpd_sys_script_t.
> My booleans:
>
> # getsebool -a | grep httpd
> allow_httpd_anon_write --> off
> allow_httpd_sys_script_anon_write --> off
> httpd_builtin_scripting --> on
> httpd_can_network_connect --> on
> httpd_can_network_connect_db --> off
> httpd_can_network_relay --> off
> httpd_disable_trans --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> on
> httpd_ssi_exec --> on
> httpd_suexec_disable_trans --> off
> httpd_tty_comm --> off
> httpd_unified --> off
>
> BTW, is there a way or tools to find out what e.g. httpd_exec_t program is
> allowed to do (and what do the booleans really affect) on currently active
> policy?
>
>
apol
> Best regards,
>
> Jouni
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list