Re: A bit of packaging help is needed for suphp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2006-09-09 at 23:19 +0200, Andreas Thienemann wrote:
> Hi,
> 
> I'm currently preparing an update for mod_suphp in FE.
> suphp works similar to suexec for the apache httpd, only that it is 
> designed with php scripts in mind.
> 
> 
> The execution works similar to suexec: A php-script on the webserver is 
> accessed, for which the mod_suphp module is configured.
> The modules executes /usr/sbin/suphp, which drops privileges to the user 
> owning the file and executes the php-cgi binary, feeding the generated 
> content back to the server.
> 
> 
> I want this to work with the targeted selinux policy. Right now, the httpd 
> error log shows:
> 
> [Sat Sep 09 06:05:36 2006] [error] [client 127.0.0.1] (13)Permission 
> denied: couldn't create child process: /usr/sbin/suphp for
> /home/andreas/public_html/test.php
> 
> I tried relabeling the suphp binary with httpd_suexec_exec_t but this 
> doesn't seem to help at all.
> Strangely, I'm not seeing anything related in the audit.log.
> 
> 
> A helpful user added a preliminary selinux policy to bugzilla for 
> mod_suphp.
> <https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135912>
> 
> It'd be great, if someone knowledgable could take a look at it and 
> comment.

It looks to me like it might be better to use apache_content_template
for this

That's the approach I used for mod_fcgid:
http://cvs.fedora.redhat.com/viewcvs/devel/mod_fcgid/?root=extras

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux