SELinux managing-confined-services guide - call for review
Dominick Grift
domg472 at gmail.com
Thu Apr 23 19:40:00 UTC 2009
On Thu, 2009-04-23 at 13:21 +0200, Dominick Grift wrote:
> On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
>
> > I would greatly appreciate any and all comments or corrections that
> > anyone has on it.
>
> I like the examples, unfortunately with regard to for example Apache you
> do not have an example for each boolean. That would probably be too
> much, but it would be the best way to shows when to use which boolean or
> combination of booleans.
>
> For example we have had an issue on #fedora-selinux were httpd couldnt
> do some permission to httpd_sys_content_t.
>
> setroubleshoot suggested httpd_unified, but even with that bool set to
> true, httpd was not able to do (i forgot which permission it was) to the
> file.
>
> I suggested to the user to just label the file httpd_sys_content_rw_t
> and get it over with. (this worked)
>
> However later dwalsh suggested that this wasnt just solved by
> httpd_unified because it required a combination of booleans to be set.
>
> im not sure i remember correct which combination this was but i think:
>
> httpd_enable_cgi, httpd_unified, httpd_enable_homedir
>
> my point is that the idea of including examples is a very good idea in
> my view but that there arent so many examples.
Actually the example i gave here just does not work. There is a bug in
fedora Apache policy. We have had another guy with the same issue in
#selinux today and httpd_unified does not work. confirmed it.
More information about the fedora-selinux-list
mailing list