SELinux should be off by default in FC3
Colin Walters
walters at redhat.com
Thu Oct 7 20:33:34 UTC 2004
On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote:
> That's surely not the whole story if SELinux is on by default and Apache
> is covered by the targetted policy. The fact seems to be that you have
> to know and understand SELinux to be able to do the normal things you do
> with Apache, e.g. write CGI scripts, or change httpd.conf.
Following up on this a bit - it would be possible to weaken the Apache
policy so that there are not separate types for user versus system
content, or CGI script executables versus CGI data. You'd just have a
single type, httpd_content_t. Then an administrator wouldn't have to
know how to run chcon to relabel executable CGI scripts or mark data as
readonly by the CGI script.
However, you lose a number of advantages of the normal Apache policy,
such as compromised (or misconfigured) CGI scripts not being able to
delete your entire website.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041007/39685899/attachment.sig>
More information about the fedora-devel-list
mailing list