targeted policy clashes CGI program under apache
Colin Walters
walters at redhat.com
Tue Mar 22 13:44:16 UTC 2005
On Mon, 2005-03-21 at 23:13 -0800, Ben wrote:
> My CGI does use glib threads; is that a bad thing?
Not a bad thing. I think the CGI script policy author hadn't tested
multi-threaded scripts.
> I would like to use SELinux, but there's "like" and "need", and right
> now I need to get this working. So, if there's no quick fix, is there a
> way to disable SELinux on just this one CGI, do I have to disable it
> for all of apache?
You have three options basically:
1) Disable enforcement for Apache
2) Install policy source and add the permission
3) Wait for a FC3 policy update with this fixed
One thing that we had recently discussed doing is adding a
httpd_sys_script_unconfined_exec_t type, which when executed by httpd_t
would cause a transition to unconfined_t (i.e. not be confined by
SELinux). But I don't think this is done yet.
For 1), see the Fedora SELinux FAQ.
For 2, see:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0096.html
Or:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizing.html#sn-simple-changes-to-policy-source
The major caveats with maintaining your own modified policy in this
fashion at the moment are that you have to know about using "make" etc.
to build it, and it's somewhat fragile with respect to upgrades.
Upstream SELinux work is going to make it a lot easier to create and
maintain policy changes from a binary policy.
More information about the fedora-selinux-list
mailing list