On Thu, Oct 07, 2004 at 11:52:09AM -0400, Colin Walters wrote: > On Thu, 2004-10-07 at 10:30 -0500, Chris Adams wrote: > > > We sell web hosting, and believe me, customers will upload their files > > to just about anywhere on the server they have write access (and they'll > > try other places without knowing why). Shared web hosting is a perfect > > environment for SELinux, but this would be a killer. Explaining that > > their CGIs have to have execute permission is hard enough. > > I think that explaining what your users need to do for SELinux in this > case is quite similar to explaining execute permissions. > > CGI scripts for example in the default Apache policy need to be > httpd_user_script_exec_t. CGI script data needs to be > httpd_user_script_ro_t or httpd_user_script_rw_t. There's no way for > SELinux to automatically guess what data you want writable by the CGI > and what you don't. > > You simply need to have users be aware of chcon -t if you want the > additional security. Although: That's surely not the whole story if SELinux is on by default and Apache is covered by the targetted policy. The fact seems to be that you have to know and understand SELinux to be able to do the normal things you do with Apache, e.g. write CGI scripts, or change httpd.conf. I can't help thinking this will be a large source of user confusion. And the stderr-eating behaviour is very annoying. # service httpd configtest # ... should print "OK". joe
