[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux should be off by default in FC3

On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote:

> That's surely not the whole story if SELinux is on by default and Apache
> is covered by the targetted policy.  The fact seems to be that you have
> to know and understand SELinux to be able to do the normal things you do
> with Apache, e.g. write CGI scripts, or change httpd.conf.  

Following up on this a bit - it would be possible to weaken the Apache
policy so that there are not separate types for user versus system
content, or CGI script executables versus CGI data.  You'd just have a
single type, httpd_content_t.  Then an administrator wouldn't have to
know how to run chcon to relabel executable CGI scripts or mark data as
readonly by the CGI script.

However, you lose a number of advantages of the normal Apache policy,
such as compromised (or misconfigured) CGI scripts not being able to
delete your entire website.

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]