Paul Howarth wrote: > The simplest fix might be to change the file context of this particular > CGI script to httpd_unconfined_script_exec_t instead of > httpd_sys_script_t. That would effectively turn off SELinux protection > for that particular script. > The alternative approach of using audit2allow to create a local policy > to allow these capabilities would turn on these capabilities for *all* > of your CGI scripts, which IMHO would be worse than turning off > protection for just that one script (particularly if that script was > well-audited for security issues). > Ideally it would be easy to create a subclass of CGI scripts and assign > special capabilities to those (I have a similar issue with FastCGI > scripts that need slightly more capabilities than regular CGI scripts), > but that's beyond me at this moment. As the script in question can indeed be called well-audited (basically, it just allows to trigger a certain action by calling another script with fixed attributes), I have decided to go with httpd_unconfined_script_exec_t. That did the trick neatly. Thanks very much, Jochen -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
