httpd newbie / access denied, no permission to ~userid

[Rahul Sundaram]

Hi

>
>For instance, I'd tried using some CGI (and other languages) scripts to
>do various things, such as show a man page in the browser.  To do so
>with SELinux would require changing lots of permissions in various
>places.  It's tedious to do, and not intuitive (there's some damn awful
>labelling involved with SELinux).
>  
>

should be easy enough to enable httpd_enable_cgi if it isnt already. The 
following Apache related booleans are available

allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active

You can use system-config-securitylevel or setsebool

>I feel that SELinux and firewalls are a bit of a scam.  You're hoping
>that some third object will protect you against a flaw in what you're
>using (Apache, for instance), instead of properly fixing whatever you're
>using. 
>
If the policies restrict access, you can conclusively restrict the 
amount of damage through SELinux. While it is indeed good for software 
themselves to be fixed SELinux design is based on the assumption that 
all software is inherently flawed. That way you get an extra level of 
protection

http://www.nsa.gov/selinux/papers/inevit-abs.cfm

regards
Rahul