httpd can't execute bash?
Jouni Viikari
jouni at viikarit.com
Fri Jun 9 05:44:15 UTC 2006
> Jouni Viikari wrote:
>> On Tue, 6 Jun 2006, James Antill wrote:
>>
>>> On Mon, 2006-05-29 at 19:47 +0300, Jouni Viikari wrote:
>>>> On Sun, 2006-05-28 at 10:58 +0100, Paul Howarth wrote:
>>>>> On Sun, 2006-05-28 at 12:43 +0300, Jouni Viikari wrote:
>>>>>> I have the same problem:
>>>>>>
>>>>>> type=AVC msg=audit(1148808793.986:30189): avc: denied { execute
>>>>>> } for
>>>>>> pid=18644 comm="httpd" name="bash" dev=dm-0 ino=3440979
>>>>>> scontext=user_u:system_r:httpd_t:s0
>>>>>> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>>> [...]
>>>> It is a php-script doing basically ugly 'system("cat xyz");'
>>>>
>>>> #ls -Z
>>>> system_u:object_r:httpd_sys_content_t
>>>>
>>>> This is just a testing_something.php where I happened to notice a
>>>> change
>>>> in a behavior.
>>>
>>> See "man httpd_selinux" ... summary is you need at least:
>>>
>>> chcon -t httpd_sys_exec_t
>>
>> Yeah, I thought the context might not be rigth. Anyway the behaviour
>> has changed.
>>
>> However, there seems not to be httpd_sys_exec_t (trying above gives
>> "Invalid argument"). If I try httpd_sys_script_exec_t it does not work
>> either.
>>
>> Biggest problem I just found out is that I can not send mail any more
>> from
>> SquirrelMail (standard FC5 package):
>>
>>
>> type=AVC msg=audit(1149674474.840:81196): avc: denied { execute } for
>> pid=20207 comm="httpd" name="bash" dev=dm-0 ino=3440979
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:shell_exec_t:s0
>> tclass=file
>>
> setsebool httpd_ssi_exec=1
>
> should turn this on
Confirm. This made things work again (just like before).
Thank you.
-Jouni
More information about the fedora-selinux-list
mailing list