gpg through apache and php?

brett brett at eecs.tufts.edu
Sun May 1 00:30:42 UTC 2005


>

> If you organize your /var/www
> tree in a conventional manner, then it should work fairly smoothly.
> Problems arise when people put CGIs all over the place (not just in cgi-
> bin), and don't use any conventions in separating files that should be
> read-only vs. read-write.

OK, you are selling me on the /var/www tree. What is "a conventional
manner." Needless to say you don't have to explain it all to me, perhaps
you can point me to a resource that describes what you are talking about.
For example, where do user PHP scripts live in this tree? Are they
readable\writable by others?


> Simplest thing to do is just to install policy sources and just allow
> the permissions you want, e.g.
> 	yum install selinux-policy-targeted-sources
> 	cd /etc/selinux/targeted/src/policy
> repeat:
> 	audit2allow -d >> domains/misc/local.te
> 	make load
> 	<retry operation>
> 	<goto repeat if it fails>
>
> Might be quicker to switch to permissive mode (setenforce 0), run your
> CGI via apache, then run audit2allow once, as that will then collect
> _all_ of the audit messages that would have been denied in enforcing
> mode.

So selinux-policy-targeted-sources is something that lets me change
policy?

And audit2allow is something that monitors what processes are open and
"allows" them to pass through SELinux?

Thanks,
-brett




More information about the fedora-selinux-list mailing list