[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: implications of httpd_unified

From: Paul Howarth <paul city-fan org>
To: Scott Radvan <sradvan redhat com>
Cc: Fedora SELinux <fedora-selinux-list redhat com>
Subject: Re: implications of httpd_unified
Date: Tue, 17 Mar 2009 07:39:45 +0000

On Tue, 17 Mar 2009 15:33:08 +1000
Scott Radvan <sradvan redhat com> wrote:

> Hi all,
> 
> 
> I have taken ownership of development on the Fedora 11 SELinux
> (Managing Confined Services) guide, and am currently trying to build
> on the descriptions of the purposes, uses and implications of
> enabling/disabling some of the available Booleans.
> 
> I am wondering if anybody can expand or has any comments on this
> description of the httpd_unified Boolean, as there doesn't seem to be
> a great deal out there about it.
> 
> "This Boolean is off by default, turning it on will allow all httpd
> executables to have full access to all content labeled with a http
> file context. Leaving it off makes sure that one httpd service can not
> interfere with another."
> 
> Specifically I am interested in what is meant by a service that can
> not "interfere with another" in the case of http_unified, but any
> comments which may help me refine the description are more than
> welcome.

I think this means that say httpd_bugzilla_script_t can't access
httpd_sys_* files and httpd_sys_script_t can't access httpd_bugzilla_*
files etc.

Paul.

References:
- implications of httpd_unified
  - From: Scott Radvan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]