implications of httpd_unified
Paul Howarth
paul at city-fan.org
Tue Mar 17 07:39:45 UTC 2009
On Tue, 17 Mar 2009 15:33:08 +1000
Scott Radvan <sradvan at redhat.com> wrote:
> Hi all,
>
>
> I have taken ownership of development on the Fedora 11 SELinux
> (Managing Confined Services) guide, and am currently trying to build
> on the descriptions of the purposes, uses and implications of
> enabling/disabling some of the available Booleans.
>
> I am wondering if anybody can expand or has any comments on this
> description of the httpd_unified Boolean, as there doesn't seem to be
> a great deal out there about it.
>
> "This Boolean is off by default, turning it on will allow all httpd
> executables to have full access to all content labeled with a http
> file context. Leaving it off makes sure that one httpd service can not
> interfere with another."
>
> Specifically I am interested in what is meant by a service that can
> not "interfere with another" in the case of http_unified, but any
> comments which may help me refine the description are more than
> welcome.
I think this means that say httpd_bugzilla_script_t can't access
httpd_sys_* files and httpd_sys_script_t can't access httpd_bugzilla_*
files etc.
Paul.
More information about the fedora-selinux-list
mailing list