applying SELinux policy for httpd
Ivan Gyurdiev
ivg2 at cornell.edu
Thu Nov 3 14:02:14 UTC 2005
Ivan Gyurdiev wrote:
> Joe Orton wrote:
>> I'd also like to mention again that the new FC4 policy of only
>> applying SELinux policy if httpd is started from the init script is
>> confusing the hell out of people. It breaks the principle of least
>> astonishment. I'd much rather live with the fact that SELinux policy
>> is *always* applied, and the fallout from that, than see this
>> confusion of people hitting SELinux policy issues, get confused,
>> restart httpd, see them disappear, etc.
>>
>> I'd really like to see this change reverted for FC5.
>>
>
> Check the state of the "direct_sysadm_daemon" tunable...
> I think it should be set to 1 in your case. I am not quite sure of the
> justification for a tunable.
Or rather.. maybe it needs to be defined in the sources package from
which policy is built.
I always get confused as to whether or not tunables can be changed at
runtime - IIRC they can't.
More information about the fedora-selinux-list
mailing list