gpg through apache and php?

[brett]

Thanks Stephen. See answers below.
-brett

> On Tue, 2005-04-26 at 23:09 -0400, brett wrote:
> > Hi,
> >
> > I had to disable SELinux on my apache httpd in order to get my php scripts
> > to work. They proc_open() gpg and SELinux didn't like that. Is there
> > anyway to allow gpg to get through proc_open() so i can still have SELinux
> > checking up on my webserver?
>
> Details, please:
> - what policy are you running:  strict or targeted, FC3 or FC4/devel?

targeted. FC3

> - what httpd_* booleans do you have enabled?

httpd_disable_trans     active
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active


> - where have you placed the keyring for gpg that you want accessible via
> httpd?

/home/test/.gnupg

test is a user. Also, i plan on using symmetric encryption so i don't
think it needs the keyring file.

> - what avc denials did you get in /var/log/messages (FC3)
> or /var/log/audit/audit.log (FC4)?

Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc:  denied  {
execute } for  pid=6266 comm=gpg path=/etc/ld.so.cache dev=dm-0
ino=3919093 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ld_so_cache_t tclass=file
Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc:  denied  {
execmod } for  pid=6266 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=4972274
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:bin_t tclass=file