Policy for webalizer
Yuichi Nakamura
himainu-ynakam at miomio.jp
Sun Jun 27 13:37:03 UTC 2004
I checked your changes and webalizer worked, thank you.
Russell Coker <russell at coker.com.au> wrote:
> As a general rule we don't want to allow any daemons access to the
> administrator console if we can avoid it. I'm not sure what the best thing
> to do for webalizer is in this regard.
I am not sure.
What can attacker do , when he obtains write access right to console file?
> We could have /var/www/usage labelled as httpd_sys_content_t. That gives less
> types (less pain) for no significant decrease in security. I should probably
> make a similar change to calamaris_t.
I think we should pay attention when we give write access to homepage,
because many users think homepage is important.
In this configuration, if attacker has webalizer_t domain by some way,
he can compromise whole homepages.
And if administrator misconfigured /etc/webalizer.conf, homepages may be broken.
I think we should give new type to /var/www/usage .
---
Yuichi Nakamura
Japan SELinux Users Group(JPSEG)
http://www.selinux.gr.jp/
More information about the fedora-selinux-list
mailing list