applying SELinux policy for httpd
Joe Orton
jorton at redhat.com
Thu Nov 3 14:42:01 UTC 2005
On Thu, Nov 03, 2005 at 09:27:51AM -0500, Stephen Smalley wrote:
> On Thu, 2005-11-03 at 14:22 +0000, Joe Orton wrote:
> > What's the problem for CGI scripts, I'm not sure what you're referring
> > to here?
>
> A similar issue exists for them: whether or not to transition them into
> their separate domains by default when a user runs them directly. As
> with httpd, they lose access to the tty in that case, and thus cannot
> display diagnostics. runcon can be used to force the desired behavior
> regardless of the default.
Oh, I see, tricky. I think I would go the opposite way on that one and
not transition the scripts when run directly. (or if enabling
httpd_tty_comm by default solves that problem too, just do that)
joe
More information about the fedora-selinux-list
mailing list