Ask Your Question

can't set httpd_suexec_disable_trans

asked 2012-03-18 17:32:55 -0500

nepr gravatar image

updated 2012-03-18 17:48:12 -0500

Just installed FC16, trying to get httpd to execute scripts from my home directory (I'm the only user of this machine) with SELinux active. I've gotten to the point where httpd (Apache 2.2) is complaining about suexec. SELinux alert follows:

SELinux is preventing /usr/sbin/suexec from using the dac_override capability

Suggestions from the web (including Fedora docs for earlier releases) say to set httpdsuexecdisable_trans. But...

[root@NorvMaster nepr]# setsebool -P httpdsuexecdisabletrans 1 libsemanage.dbasellistset: record not found in the database libsemanage.dbasellistset: could not set record value Could not change boolean httpdsuexecdisabletrans Could not change policy booleans

getsebool list does not show an httpdsuexecdisabletrans entry. I can't find anything about how to do what httpdsuexecdisabletrans 1 would, presumably, do.

I'm about to turn SELinux off, so this isn't urgent; just a feeble attempt on my part to do what's, again presumably, right.



edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2012-03-19 06:09:05 -0500

domg472 gravatar image

updated 2012-03-19 06:21:37 -0500

That boolean is no longer available. The equivalent behaviour would be to manually label the suexec executable file type bin_t (discouraged)

chcon -t bin_t /usr/sbin/suexec

You can optionally make the httpd_suexec_t domain permissive:

I would like to announce a big step forward in SELinux

What does DAC_OVERRIDE mean?

"DAC_OVERRIDE allows a process to ignore Discretionary Access Controls including access lists."

The UID of SUEXEC does not have the needed (DAC) permissions to access the content.

What is the location of the content that SUEXEC cannot access?

Why doesn't SELinux give me the full path in an error message?

Raw Audit Messages

Possible solutions

The preferable way is to change the permission bits of the content that the process is trying to access where possible.

Sometimes the best solution is to allow the process the DAC_OVERRIDE capability. This depends on the the situation.

Try to understand the situation by analysing the raw audit messages (AVC denials).

SELinux User Guide

edit flag offensive delete link more


DAC_OVERRIDE isn't good solutions, because app will inherit ability to override all DAC (RWX) permissions, and behave as root does, without any control.

none gravatar imagenone ( 2013-08-07 06:47:27 -0500 )edit

answered 2013-08-07 06:45:48 -0500

none gravatar image

Fedora removed *_disable_trans booleans in favor to 'permissive domains'. semanage permissive -l will list you all security domains (types) that are in permissive mode, regardless of your SELinux mode (getenforce).

In your example, you could try: semanage permissive -a httpd_suexec_t, then restart your httpd server (if needed).

edit flag offensive delete link more

Question Tools


Asked: 2012-03-18 17:32:55 -0500

Seen: 452 times

Last updated: Aug 07 '13