Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

That boolean is no longer available. The equivalent behaviour would be to manually label the suexec executable file type bin_t (discouraged)

chcon -t httpd_suexec_exec_t /usr/sbin/suexec

You can optionally make the httpd_suexec_t domain permissive:

I would like to announce a big step forward in SELinux

What does DAC_OVERRIDE mean:

"DAC_OVERRIDE allows a process to ignore Discretionary Access Controls including access lists."

The UID of SUEXEC does not have the needed (DAC) permissions to access the content.

What is the location of the content that SUEXEC cannot access?

Why doesn't SELinux give me the full path in an error message?

Raw Audit Messages

Possible solutions

The preferable way is to change the permission bits of the content that the process is trying to access where possible.

Sometimes the best solution is to allow the process the DAC_OVERRIDE capability. This depends on the the situation.

Try to understand the situation by analyzing the raw audit messages (AVC denials).

SELinux User Guide

That boolean is no longer available. The equivalent behaviour would be to manually label the suexec executable file type bin_t bin_t (discouraged)

chcon -t httpd_suexec_exec_t /usr/sbin/suexec

You can optionally make the httpd_suexec_t httpd_suexec_t domain permissive:

I would like to announce a big step forward in SELinux

What does DAC_OVERRIDE mean:mean?

"DAC_OVERRIDE allows a process to ignore Discretionary Access Controls including access lists."

The UID of SUEXEC does not have the needed (DAC) permissions to access the content.

What is the location of the content that SUEXEC cannot access?

Why doesn't SELinux give me the full path in an error message?

Raw Audit Messages

Possible solutions

The preferable way is to change the permission bits of the content that the process is trying to access where possible.

Sometimes the best solution is to allow the process the DAC_OVERRIDE capability. This depends on the the situation.

Try to understand the situation by analyzing analysing the raw audit messages (AVC denials).

SELinux User Guide

That boolean is no longer available. The equivalent behaviour would be to manually label the suexec executable file type bin_t (discouraged)

chcon -t httpd_suexec_exec_t bin_t /usr/sbin/suexec

You can optionally make the httpd_suexec_t domain permissive:

I would like to announce a big step forward in SELinux

What does DAC_OVERRIDE mean?

"DAC_OVERRIDE allows a process to ignore Discretionary Access Controls including access lists."

The UID of SUEXEC does not have the needed (DAC) permissions to access the content.

What is the location of the content that SUEXEC cannot access?

Why doesn't SELinux give me the full path in an error message?

Raw Audit Messages

Possible solutions

The preferable way is to change the permission bits of the content that the process is trying to access where possible.

Sometimes the best solution is to allow the process the DAC_OVERRIDE capability. This depends on the the situation.

Try to understand the situation by analysing the raw audit messages (AVC denials).

SELinux User Guide