On Sat, 2006-09-09 at 23:19 +0200, Andreas Thienemann wrote: > Hi, > > I'm currently preparing an update for mod_suphp in FE. > suphp works similar to suexec for the apache httpd, only that it is > designed with php scripts in mind. > > > The execution works similar to suexec: A php-script on the webserver is > accessed, for which the mod_suphp module is configured. > The modules executes /usr/sbin/suphp, which drops privileges to the user > owning the file and executes the php-cgi binary, feeding the generated > content back to the server. > > > I want this to work with the targeted selinux policy. Right now, the httpd > error log shows: > > [Sat Sep 09 06:05:36 2006] [error] [client 127.0.0.1] (13)Permission > denied: couldn't create child process: /usr/sbin/suphp for > /home/andreas/public_html/test.php > > I tried relabeling the suphp binary with httpd_suexec_exec_t but this > doesn't seem to help at all. > Strangely, I'm not seeing anything related in the audit.log. > > > A helpful user added a preliminary selinux policy to bugzilla for > mod_suphp. > <https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135912> > > It'd be great, if someone knowledgable could take a look at it and > comment. It looks to me like it might be better to use apache_content_template for this That's the approach I used for mod_fcgid: http://cvs.fedora.redhat.com/viewcvs/devel/mod_fcgid/?root=extras Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
