httpd controls ?

Stephen Smalley sds at
Wed Mar 30 15:35:22 UTC 2005

On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote:
> Look into use of the audit2allow utility for converting denied
> messages into rules that allow the behavior that was denied. The the
> short of it is:
> # cd /etc/selinux/targeted/src
> # audit2allow -d -l -o domains/misc/local.te && make load
> Repeat until your script works and then clean up the local.te file's
> formatting (not necessary).

The problem with the above sequence is it will directly allow those
permissions to the original domain of the script; hence, all CGI scripts
would end up having those permissions.  Better to define a separate
httpd_passwd_t domain modeled after the passwd_t domain in the strict
policy and set up a domain transition into this domain only for the
script in question.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list