Hi,
I just noticed that I was able to run cgi-scripts on apache which type was bin_t instead of httpd_sys_script_exec_t. Is this expected nowadays? I am using FC5 with the latest updates (selinux-policy-targeted-2.2.25-3.fc5)
Also this bin_t script was able to read files which were by accident httpd_sys_script_exec_t type.
My booleans:
# getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_ssi_exec --> on httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> off
BTW, is there a way or tools to find out what e.g. httpd_exec_t program is allowed to do (and what do the booleans really affect) on currently active policy?
Best regards,
Jouni
Jouni Viikari wrote:
Hi,
I just noticed that I was able to run cgi-scripts on apache which type was bin_t instead of httpd_sys_script_exec_t. Is this expected nowadays? I am using FC5 with the latest updates (selinux-policy-targeted-2.2.25-3.fc5)
apache is allowed to execute bin_t.
Also this bin_t script was able to read files which were by accident httpd_sys_script_exec_t type.
The fact the script was bin_t does not mean that it was running in that domain.
Basically their is no domain transition happening. Apache runs in httpd_t, which is allowed to run bin_t. But it will stay in the context of httpd_t. So when the bin_t labeled application runs httpd_sys_script_exec_t, from SELinux point of view it is httpd_t executing httpd_sys_script_exec_t. In this case their will be a transition to httpd_sys_script_t.
My booleans:
# getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_ssi_exec --> on httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> off
BTW, is there a way or tools to find out what e.g. httpd_exec_t program is allowed to do (and what do the booleans really affect) on currently active policy?
apol
Best regards,
Jouni
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org