httpd and krb5.conf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Quoting Doug Koobs <dkoobs@xxxxxxxxxx>:

> Aleksandar Milivojevic said:
>> I've noticed that SELinux blocks httpd (standard CentOS httpd, simply
>> installed from RPM) from writing to krb5.conf file.  Question.  Why on
>> earth would httpd need write access to krb5.conf file?!  Sure, it might
>> need read access if it is configured to use Kerberos for authentication,
>> but write!?  I mean, web server that modifies one of the critical files
>> (which is used for authentication/authorization)?
>> _______________________________________________
> Allow me to display my ignorance of all thing SELinux:
>
> SELinux  is suppossed to restrict services and programs from 
> performing actions that
> they don't have a need to be doing. Since httpd has no reason to to 
> write to the
> krb5.conf file, SELinux restricts it. Kind of like a "Need to Know" 
> policy. If
> you're not familar with Mandatory Access Control, read up on it; I 
> think that is
> what SELinux is about.

Exactly.  But that doesn't answer my original question.

SELinux blocked access to the file httpd doesn't need to have access 
to. However, the question was why on startup httpd attempts to write to 
that file
(or at least open it for writing)?

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux