On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote: > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote: > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote: > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue > > > related > > > to Apache httpd that I just can't figure out. I have always been > > > able > > > to tune policy or alter a boolean, this one has me stumped! > > > > > > What I am trying to do: I am trying to deploy a simple, 3 line > > > CGI > > > script in /var/www/cgi-bin/. Runs fine with enforcement disabled > > > (see > > > output below). My custom policy for Apache (see below) comes > > > from my > > > EL6 environment. > > > > > > The normal setroubleshooting tools don't help, as there is only a > > > single > > > line in audit.log (of type=SELINUX_ERR) > > > > > > This is not happening on latest RHEL 6.9 ... > > > > > > Might be related to systemd? I don't see any "NoNewPrivileges" > > > directives inside /etc/systemd/ though ... weird! > > > > Is the filesystem mounted nosuid? > > If selinux also uses that message for that scenario then i find that > confusing since the message, to me, implies that the issue can be > find by adding a type bounds, but i don't think that would work for > nosuid mounted slices NNP and nosuid are handled in the same way. That said, I'm not sure I follow the error here, since a default transition on exec should not cause a failure in this case; we should just fall back to running in the caller's domain (whether NNP or nosuid). We only fail hard if the caller explicitly requested a domain transition.
