Description

The SELinux policy module for suexec is missing some permissions, causing it
to fail in some circumstances:

- suexec lacks permission to write to /tmp, making it impossible to
redirect debug output there.
- suexec sometimes fails to prompt for password when using kerberos
authentication.
- suexec tries to check the safety of the path to the executable. Depending
on the SELinux labels of that path, this sometimes fails.

Resolution / Workaround

The hotfix HFBM-0061, available from the HelpSystems Community Portal, adds additional permissions to suexec, making the scenarios described in the previous section functional.

SUEXEC Debugging Notes for SELinux Environments

When running bdebug for suexec (e.g. bdebug -x9 -f /mydir suexec) on an SELinux enabled system, the directory "/mydir" must have an SELinux context with type tmp_t. The /tmp directory has this type by default, but for other directories chcon may be used to change the context, e.g. "chcon unconfined_u:object_r:tmp_t:s0 /mydir".


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018