httpd controls ?
Christofer C. Bell
christofer.c.bell at gmail.com
Wed Mar 30 16:03:56 UTC 2005
On Wed, 30 Mar 2005 10:35:22 -0500, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2005-03-30 at 09:32 -0600, Christofer C. Bell wrote:
> > Look into use of the audit2allow utility for converting denied
> > messages into rules that allow the behavior that was denied. The the
> > short of it is:
> >
> > # cd /etc/selinux/targeted/src
> > # audit2allow -d -l -o domains/misc/local.te && make load
> >
> > Repeat until your script works and then clean up the local.te file's
> > formatting (not necessary).
>
> The problem with the above sequence is it will directly allow those
> permissions to the original domain of the script; hence, all CGI scripts
> would end up having those permissions. Better to define a separate
> httpd_passwd_t domain modeled after the passwd_t domain in the strict
> policy and set up a domain transition into this domain only for the
> script in question.
That's a very good point and really bears spelling out. How would one
go about creating the new domain and then implementing the proper
transition for just one set of CGI scripts? I ask because I (was)
running Open WebMail and ran into the case where I needed to
effectively disable SELinux controls over all CGI scripts to allow OWM
to run. I would have preferred the case where these controls were
removed *only* for the relavent scripts, allowing the remaining
scripts to keep the protections afforded by the default policy.
--
Chris
"Build a man a fire and he will be warm for the rest of the night. Set
a man on fire and he will be warm for the rest of his life." -- Unknown
More information about the fedora-selinux-list
mailing list