Ask Your Question
1

can't set httpd_suexec_disable_trans

asked 2012-03-18 17:32:55 -0600

nepr gravatar image

updated 2012-03-18 17:48:12 -0600

Just installed FC16, trying to get httpd to execute scripts from my home directory (I'm the only user of this machine) with SELinux active. I've gotten to the point where httpd (Apache 2.2) is complaining about suexec. SELinux alert follows:

SELinux is preventing /usr/sbin/suexec from using the dac_override capability

Suggestions from the web (including Fedora docs for earlier releases) say to set httpdsuexecdisable_trans. But...

[root@NorvMaster nepr]# setsebool -P httpdsuexecdisabletrans 1 libsemanage.dbasellistset: record not found in the database libsemanage.dbasellistset: could not set record value Could not change boolean httpdsuexecdisabletrans Could not change policy booleans

getsebool list does not show an httpdsuexecdisabletrans entry. I can't find anything about how to do what httpdsuexecdisabletrans 1 would, presumably, do.

I'm about to turn SELinux off, so this isn't urgent; just a feeble attempt on my part to do what's, again presumably, right.

Thanks,

Norvel

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2012-03-19 06:09:05 -0600

domg472 gravatar image

updated 2012-03-19 06:21:37 -0600

That boolean is no longer available. The equivalent behaviour would be to manually label the suexec executable file type bin_t (discouraged)

chcon -t bin_t /usr/sbin/suexec

You can optionally make the httpd_suexec_t domain permissive:

I would like to announce a big step forward in SELinux

What does DAC_OVERRIDE mean?

"DAC_OVERRIDE allows a process to ignore Discretionary Access Controls including access lists."

The UID of SUEXEC does not have the needed (DAC) permissions to access the content.

What is the location of the content that SUEXEC cannot access?

Why doesn't SELinux give me the full path in an error message?

Raw Audit Messages

Possible solutions

The preferable way is to change the permission bits of the content that the process is trying to access where possible.

Sometimes the best solution is to allow the process the DAC_OVERRIDE capability. This depends on the the situation.

Try to understand the situation by analysing the raw audit messages (AVC denials).

SELinux User Guide

edit flag offensive delete link more

Comments

DAC_OVERRIDE isn't good solutions, because app will inherit ability to override all DAC (RWX) permissions, and behave as root does, without any control.

none gravatar imagenone ( 2013-08-07 06:47:27 -0600 )edit
add a comment
0

answered 2013-08-07 06:45:48 -0600

none gravatar image

Fedora removed *_disable_trans booleans in favor to 'permissive domains'. semanage permissive -l will list you all security domains (types) that are in permissive mode, regardless of your SELinux mode (getenforce).

In your example, you could try: semanage permissive -a httpd_suexec_t, then restart your httpd server (if needed).

edit flag offensive delete link more
add a comment

Question Tools

subscribe to rss feed

Stats

Asked: 2012-03-18 17:32:55 -0600

Seen: 451 times

Last updated: Aug 07 '13

Related questions

SELinux help with installing Joomla plugins

Samba fedora 23 server

Preupgrade taking more time

Scriptlet Output

Samba 4 AD - selinux ntpd AVC denial sock_file on w32tm /resync

how to install playonlinux in fedora 19.

Certwatch warning does not contain path

Firewall warning fedora 22

Unvisible menu items

no audio in fedora 16

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2