web-controlled system

Florin Andrei florin at andrei.myip.org
Fri Jun 3 07:27:22 UTC 2005

On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote:
> On Thursday 02 June 2005 13:25, Florin Andrei <florin at andrei.myip.org> wrote:
> > Any guidelines for changing the SELinux config for a system that's
> > controlled over a web interface running in Apache? The interface is
> > supposed to do things like: stop/start services, change network
> > settings, etc.
> Probably the easiest solution will be to have Apache or the CGI-BIN script in 
> question running unconfined.

True, but I'd like to avoid that.

Is there any tutorial that describes how to use the selinux avc: denied
messages to "loosen up" the policy?
I'd imagine that by exercising the daemon in all ways possible, and
keeping an eye on syslog at the same time, I should be able to figure
out what needs to be permitted in the policy, right? Should be fairly
straightforward once the details are comprehended.
Any guidelines/howto/cookbook on the subject?

Florin Andrei


More information about the fedora-selinux-list mailing list