apache configtest
Colin Walters
walters at redhat.com
Wed Oct 27 14:55:14 UTC 2004
On Wed, 2004-10-27 at 15:30 +0100, Joe Orton wrote:
> I'm still trying to understand your suggestion to move the bits of code
> which do "config testing" into a separate /usr/sbin/httpd-configtest
> binary, and how that would avoid the issue.
I didn't mean to rewrite the Apache code. I meant just to have separate
binaries with different labels:
cp /usr/sbin/httpd /usr/sbin/httpd-configtest
chcon -t sbin_t /usr/sbin/httpd-configtest
That way, when init executes httpd-configtest, it does *not* domain
transition to httpd_t, and thus retains privileges to write to the
terminal. In this strict policy we might need to grant initrc_t access
to httpd_config_t though. Or we could create a separate domain just for
the config test, which would actually be a good idea, so that httpd -t
wouldn't be able to act as a webserver, write pid files, etc.
Does that make sense?
More information about the fedora-test-list
mailing list