httpd controls ?
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 30 16:07:18 UTC 2005
On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote:
> That's a very good point and really bears spelling out. How would one
> go about creating the new domain and then implementing the proper
> transition for just one set of CGI scripts? I ask because I (was)
> running Open WebMail and ran into the case where I needed to
> effectively disable SELinux controls over all CGI scripts to allow OWM
> to run. I would have preferred the case where these controls were
> removed *only* for the relavent scripts, allowing the remaining
> scripts to keep the protections afforded by the default policy.
Easiest way to create a domain presently is to copy an existing one and
edit it, using your favorite filter to replace all occurrences of the
old prefix with a new one. By introducing a separate _exec_t type for
the new domain (e.g. httpd_passwd_exec_t) and assigning that type to the
particular CGI script in question (manually with chcon or via restorecon
after updating your file_contexts), you only affect that particular
script.
Possible resources:
The RHEL4 SELinux Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
- Understanding and Customizing the Apache HTTP SELinux Policy,
http://fedora.redhat.com/docs/selinux-apache-fc3/
- Sourceforge SELinux HOWTOs
http://sourceforge.net/docman/?group_id=21266
- SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty,
http://www.oreilly.com/catalog/selinux/
- Tresys Technology Policy Writing Course Slides,
http://www.tresys.com/selinux/selinux-course-outline.html
- Configuring the SELinux Policy,
http://www.nsa.gov/selinux/papers/policy2-abs.cfm
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list