applying SELinux policy for httpd
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 3 15:20:42 UTC 2005
Daniel J Walsh wrote:
> Joe Orton wrote:
>> I'd also like to mention again that the new FC4 policy of only
>> applying SELinux policy if httpd is started from the init script is
>> confusing the hell out of people. It breaks the principle of least
>> astonishment. I'd much rather live with the fact that SELinux policy
>> is *always* applied, and the fallout from that, than see this
>> confusion of people hitting SELinux policy issues, get confused,
>> restart httpd, see them disappear, etc.
>>
Maybe we could put something in apache to check if httpd_tty_comm is
active or at least see if writing to the terminal is allowed, if
(access(tty, W_OK)) then put a message in the log file stating that
output to the terminal is disabled you can enable using setsebool or
system-config-securitylevel.
We can change the default to httpd_tty_com being true, but this
potentially allows cgi scripts to interact with the terminal, by default.
--
More information about the fedora-selinux-list
mailing list