web-controlled system

Russell Coker russell at coker.com.au
Fri Jun 3 07:46:43 UTC 2005

On Friday 03 June 2005 17:27, Florin Andrei <florin at andrei.myip.org> wrote:
> On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote:
> > On Thursday 02 June 2005 13:25, Florin Andrei <florin at andrei.myip.org> 
> > > Any guidelines for changing the SELinux config for a system that's
> > > controlled over a web interface running in Apache? The interface is
> > > supposed to do things like: stop/start services, change network
> > > settings, etc.
> >
> > Probably the easiest solution will be to have Apache or the CGI-BIN
> > script in question running unconfined.
> True, but I'd like to avoid that.


If Apache can change system configuration files and restart daemons then 
what's the point of trying to restrict it?  Using Apache to configure the 
system to boot without SE Linux enabled should be easy enough.

> Is there any tutorial that describes how to use the selinux avc: denied
> messages to "loosen up" the policy?

No.  The problem you face is how to change the labels on some file so that 
Apache can write to them but not grant Apache write to too many things.  If 
your requirement is "control everything over the web" then this may not be a 
solvable problem.

> I'd imagine that by exercising the daemon in all ways possible, and
> keeping an eye on syslog at the same time, I should be able to figure
> out what needs to be permitted in the policy, right?


http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list