On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote: > That's surely not the whole story if SELinux is on by default and Apache > is covered by the targetted policy. The fact seems to be that you have > to know and understand SELinux to be able to do the normal things you do > with Apache, e.g. write CGI scripts, or change httpd.conf. Following up on this a bit - it would be possible to weaken the Apache policy so that there are not separate types for user versus system content, or CGI script executables versus CGI data. You'd just have a single type, httpd_content_t. Then an administrator wouldn't have to know how to run chcon to relabel executable CGI scripts or mark data as readonly by the CGI script. However, you lose a number of advantages of the normal Apache policy, such as compromised (or misconfigured) CGI scripts not being able to delete your entire website.
Attachment:
signature.asc
Description: This is a digitally signed message part
