gpg through apache and php?
brett
brett at eecs.tufts.edu
Sun May 1 00:30:42 UTC 2005
>
> If you organize your /var/www
> tree in a conventional manner, then it should work fairly smoothly.
> Problems arise when people put CGIs all over the place (not just in cgi-
> bin), and don't use any conventions in separating files that should be
> read-only vs. read-write.
OK, you are selling me on the /var/www tree. What is "a conventional
manner." Needless to say you don't have to explain it all to me, perhaps
you can point me to a resource that describes what you are talking about.
For example, where do user PHP scripts live in this tree? Are they
readable\writable by others?
> Simplest thing to do is just to install policy sources and just allow
> the permissions you want, e.g.
> yum install selinux-policy-targeted-sources
> cd /etc/selinux/targeted/src/policy
> repeat:
> audit2allow -d >> domains/misc/local.te
> make load
> <retry operation>
> <goto repeat if it fails>
>
> Might be quicker to switch to permissive mode (setenforce 0), run your
> CGI via apache, then run audit2allow once, as that will then collect
> _all_ of the audit messages that would have been denied in enforcing
> mode.
So selinux-policy-targeted-sources is something that lets me change
policy?
And audit2allow is something that monitors what processes are open and
"allows" them to pass through SELinux?
Thanks,
-brett
More information about the fedora-selinux-list
mailing list