SELinux/httpd integration

Joe Orton jorton at redhat.com
Tue Nov 23 15:48:22 UTC 2004


On Mon, Nov 22, 2004 at 05:59:10PM -0500, Colin Walters wrote:
> On Mon, 2004-11-22 at 17:30 -0500, Yuichi Nakamura wrote:
> 
> > I think it should grant fewer permissions. 
> > Why httpd_t should write all contents in httpd_unified ?
> 
> Ah, I see what you're saying now.  Right.  Dan added that recently for
> PHP scripts, I believe.  
> 
> > So, I feel that allowing httpd_t write permission to all contents is out of scope of httpd_unified.
> 
> I agree now.  Conceptually they are separate things.  A new boolean like
> httpd_content_writable sounds good to me.  Sorry about misunderstanding
> you originally.

But this is boolean is going to be on by default?

I'm going to add this text to /etc/httpd/conf.d/subversion.conf since it
(currently :) works out-of-the-box: is the terminology "labelled with a
context" correct?

#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn".  Each repository
# must be readable and writable by the 'apache' user.  Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www.
#




More information about the fedora-selinux-list mailing list