On Thu, 2005-01-27 at 15:49 -0500, John W. Lockhart wrote:
> Stephen Smalley wrote:
> > On Thu, 2005-01-27 at 11:25, John W. Lockhart wrote:
> >
> >>Aha! It is indeed mounted nosuid:
> >>rw,nosuid,nodev,noatime,rsize=8192,wsize=8192,bg,intr,soft,context=system_u:object_r:httpd_sys_content_t
>
> > Not clear you want to just remove nosuid, as that obviously has other
> > security implications. If policy allowed httpd_t to set its exec
> > context, then you could use a wrapper script that just does a runcon -t
> > httpd_sys_script_t <realscript> to manually transition to the new
> > domain.
>
> For now, since the nfs server contains trusted materials, I got rid of the
> nosuid. Got a little farther, but hit:
>
> kernel: audit(1106858631.779:0): avc: denied { search } for pid=22886
> exe=/usr/bin/perl name=mnt dev=dm-0 ino=3932161
> scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t
> tclass=dir
Wouldn't be harmful to allow by default, I think.
