On Fri, 2004-10-08 at 17:38 +0100, Joe Orton wrote: > I'm just not convinced it's the right decision to apply SELinux policy > to Apache *by default*. New administrators have enough problems trying > to configure stuff as it is, I agree, Apache is a very complex daemon, with a lot of configuration possibilities. That is a very good reason for applying SELinux policy, since the policy prevents a misconfigured or compromised apache from damaging your system. > without placing this invisible tripwire in > front of them. When people get permission denials, they will likely know to look in both /var/log/httpd/error_log; we just need to get people to know to look in /var/log/messages as well. > It won't endear people to FC3 as a good web server platform if the PHP, > CGI scripts etc, With a weakened Apache policy, these should generally require no configuration. But it will give less protection as well. > hell, even running httpd -t "just doesn't work" True. But really, the syntax parsing should be a separate application. If the policy allowed the regular daemon access to the system administrator's terminal, then it could take over an existing root shell. > out of > the box when it did in past releases. They will go back to "chuck away > the packaged stuff and build from sources" That's bad advice. First of all, if they really want, they can disable enforcement just for Apache quite easily, as has been mentioned earlier. Second of all, reinstalling from sources will not be a reliable means to disable SELinux protection for Apache. It might work because the new binaries will inherit the generic sbin_t type, and so no transition will occur. But if the system is later relabeled, those files could be reset to the httpd_exec_t type, and then the transition will happen again.
Attachment:
signature.asc
Description: This is a digitally signed message part
