applying SELinux policy for httpd
Joe Orton
jorton at redhat.com
Thu Nov 3 14:22:46 UTC 2005
On Thu, Nov 03, 2005 at 09:12:24AM -0500, Stephen Smalley wrote:
> On Thu, 2005-11-03 at 14:10 +0000, Joe Orton wrote:
> > On Thu, Nov 03, 2005 at 09:00:04AM -0500, Stephen Smalley wrote:
> > > On Thu, 2005-11-03 at 10:15 +0000, Joe Orton wrote:
> > > > I'd also like to mention again that the new FC4 policy of only applying
> > > > SELinux policy if httpd is started from the init script is confusing the
> > > > hell out of people. It breaks the principle of least astonishment. I'd
> > > > much rather live with the fact that SELinux policy is *always* applied,
> > > > and the fallout from that, than see this confusion of people hitting
> > > > SELinux policy issues, get confused, restart httpd, see them disappear,
> > > > etc.
> > > >
> > > > I'd really like to see this change reverted for FC5.
> > >
> > > Previously discussed in this thread:
> > > http://marc.theaimsgroup.com/?t=112089638800001&r=1&w=2
> >
> > The argument above still stands after the change to make apachectl
> > behave like the init script. People are still getting confused by the
> > fact that Apache behaves differently if started via /usr/sbin/httpd.
>
> That's fine, but they then need to know to use runcon or to enable
> httpd_tty_com if they want to run httpd -t and see the output on their
> tty.
It's a trade-off and this is the more acceptable option to me.
Consistently different is better than inconsistently different. (but I
would really also prefer that httpd_tty_comm was active by default to
avoid that issue as well)
> Likewise for cgis, unless they are handled differently.
What's the problem for CGI scripts, I'm not sure what you're referring
to here?
Regards,
joe
More information about the fedora-selinux-list
mailing list