A bit of packaging help is needed for suphp
Paul Howarth
paul at city-fan.org
Sun Sep 10 12:46:08 UTC 2006
On Sat, 2006-09-09 at 23:19 +0200, Andreas Thienemann wrote:
> Hi,
>
> I'm currently preparing an update for mod_suphp in FE.
> suphp works similar to suexec for the apache httpd, only that it is
> designed with php scripts in mind.
>
>
> The execution works similar to suexec: A php-script on the webserver is
> accessed, for which the mod_suphp module is configured.
> The modules executes /usr/sbin/suphp, which drops privileges to the user
> owning the file and executes the php-cgi binary, feeding the generated
> content back to the server.
>
>
> I want this to work with the targeted selinux policy. Right now, the httpd
> error log shows:
>
> [Sat Sep 09 06:05:36 2006] [error] [client 127.0.0.1] (13)Permission
> denied: couldn't create child process: /usr/sbin/suphp for
> /home/andreas/public_html/test.php
>
> I tried relabeling the suphp binary with httpd_suexec_exec_t but this
> doesn't seem to help at all.
> Strangely, I'm not seeing anything related in the audit.log.
>
>
> A helpful user added a preliminary selinux policy to bugzilla for
> mod_suphp.
> <https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135912>
>
> It'd be great, if someone knowledgable could take a look at it and
> comment.
It looks to me like it might be better to use apache_content_template
for this
That's the approach I used for mod_fcgid:
http://cvs.fedora.redhat.com/viewcvs/devel/mod_fcgid/?root=extras
Paul.
More information about the fedora-selinux-list
mailing list