Selinux Apache avc denied

Valdis.Kletnieks at Valdis.Kletnieks at
Sat Jul 30 03:56:39 UTC 2005

On Fri, 29 Jul 2005 23:32:01 EDT, Alain Reguera Delgado said:

> I've been stopped the web development. I feel selinux is a brilliant
> technology I'd like to implement in my webserver.

Actually, you have that almost totally backwards - SELinux is a brilliant
technology that gets implemented in the kernel to make sure it doesn't
matter *what* gets implemented in the webserver.  Even if malicious code
gets control of the webserver, it still can't access anything the webserver
wasn't supposed to access...

Now, about the actual problem:

> Jul 27 15:41:38 hostname kernel: audit(1122493298.486:0): avc:  denied
> { execute } for  pid=4011 comm=httpd name=bash dev=hda5 ino=844138
> scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:shell_exec_t
> tclass=file

Unfortunately, this is *much* too big a can of worms to solve directly - it
would be technically possible to just add a rule that says 'httpd_t can
exec shell_exec_t' - but that would be a *really* *bad* idea because then
any exploit could get a shell (and exec_no_trans only partially minimizes
the problem).

Can you re-arrange the code so that /usr/sbin/sendmail gets invoked directly,
rather than via a shell?  If so, then maybe we can add a can_exec of sendmail_exec_t.

Policy Gurus:  How big a hole would adding a 'can_exec(sendmail_exec_t)' or
'domain_auto_trans(sendmail_t)' cause?  And how many of these common "web interface
wants to send mail" problems would it solve?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the fedora-selinux-list mailing list