httpd newbie / access denied, no permission to ~userid
Rahul Sundaram
sundaram at redhat.com
Mon Aug 15 14:57:14 UTC 2005
Hi
>
>For instance, I'd tried using some CGI (and other languages) scripts to
>do various things, such as show a man page in the browser. To do so
>with SELinux would require changing lots of permissions in various
>places. It's tedious to do, and not intuitive (there's some damn awful
>labelling involved with SELinux).
>
>
should be easy enough to enable httpd_enable_cgi if it isnt already. The
following Apache related booleans are available
allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
You can use system-config-securitylevel or setsebool
>I feel that SELinux and firewalls are a bit of a scam. You're hoping
>that some third object will protect you against a flaw in what you're
>using (Apache, for instance), instead of properly fixing whatever you're
>using.
>
If the policies restrict access, you can conclusively restrict the
amount of damage through SELinux. While it is indeed good for software
themselves to be fixed SELinux design is based on the assumption that
all software is inherently flawed. That way you get an extra level of
protection
http://www.nsa.gov/selinux/papers/inevit-abs.cfm
regards
Rahul
More information about the fedora-list
mailing list