Re: SELinux, F8, and httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
chcon is just like chown or chmod, and actually change a file context to
httpd_sys_content_t will survive a relabel, which you really should not
need to do.  If you cp the contents of the directory they should adopt
the context of the destination directory. Also you could use restorecond
to watch for the creation of files in the directory.

Would other contexts survive though? httpd_sys_content_t is really here nor there in that situation, because it is the default policy.

So I could custom configure restorecond, but why does it even have to be a daemon. Why couldn't the kernel just to it automatically during the move?
*_disable_trans was removed because it caused as many problems as it
solved.  When you disable trans on one domain, you can cause other
domains to to blow up because file context gets screwed up.
This makes sense.
If you really want to disable trans you could change the context of
httpd to bin_t.   chcon -t bin_t /usr/sbin/httpd, but this will not
survive a relabel.  We are hoping to add permissive domains pretty soon,
where you define httpd as a permissive domain, and it would only report
access problems and not enforce them.
 That it wouldn't survive a relabel makes it pretty worthless.

I was thinking about permissive domains when I was writing the original e-mail. Good to hear it is being worked on.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux