[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3



On Thu, Oct 07, 2004 at 11:52:09AM -0400, Colin Walters wrote:
> On Thu, 2004-10-07 at 10:30 -0500, Chris Adams wrote:
> 
> > We sell web hosting, and believe me, customers will upload their files
> > to just about anywhere on the server they have write access (and they'll
> > try other places without knowing why).  Shared web hosting is a perfect
> > environment for SELinux, but this would be a killer.  Explaining that
> > their CGIs have to have execute permission is hard enough.
> 
> I think that explaining what your users need to do for SELinux in this
> case is quite similar to explaining execute permissions.  
> 
> CGI scripts for example in the default Apache policy need to be
> httpd_user_script_exec_t.  CGI script data needs to be
> httpd_user_script_ro_t or httpd_user_script_rw_t.  There's no way for
> SELinux to automatically guess what data you want writable by the CGI
> and what you don't.
> 
> You simply need to have users be aware of chcon -t if you want the
> additional security.  Although:

That's surely not the whole story if SELinux is on by default and Apache
is covered by the targetted policy.  The fact seems to be that you have
to know and understand SELinux to be able to do the normal things you do
with Apache, e.g. write CGI scripts, or change httpd.conf.  I can't help
thinking this will be a large source of user confusion.

And the stderr-eating behaviour is very annoying.

# service httpd configtest
#

... should print "OK".

joe


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]