Stephen Smalley wrote:
On Thu, 2005-01-27 at 11:25, John W. Lockhart wrote:
Aha! It is indeed mounted nosuid:
rw,nosuid,nodev,noatime,rsize=8192,wsize=8192,bg,intr,soft,context=system_u:object_r:httpd_sys_content_t
Not clear you want to just remove nosuid, as that obviously has other
security implications. If policy allowed httpd_t to set its exec
context, then you could use a wrapper script that just does a runcon -t
httpd_sys_script_t <realscript> to manually transition to the new
domain.
For now, since the nfs server contains trusted materials, I got rid of the
nosuid. Got a little farther, but hit:
kernel: audit(1106858631.779:0): avc: denied { search } for pid=22886
exe=/usr/bin/perl name=mnt dev=dm-0 ino=3932161
scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t
tclass=dir
-- John
