On Tue, 2004-11-16 at 10:51 +0000, Joe Orton wrote: > I dogfood it on all my test boxes. But the reality is that if you use a > slightly non-default configuration for httpd I wouldn't quite say that. I've been running a website with multiple custom virtual hosts and admins, suEXEC, and other fun stuff with the SELinux policy for about 1.5 years, and I've only had to write a bit of custom policy. Mostly things like allowing rsyncd to read from the website, etc. > or enable any of the > "interesting" modules, Well, it depends on the particular modules. mod_rewrite for example can require no policy if you're just using regexps, but you can also configure it to talk to an external daemon for URL rewriting... > or use any interesting PHP webapps, The major problem with PHP is that it runs in-process, so we can't separate "stuff PHP webapp wants to do" from "compromised httpd". For example, most webapps will want write access to your web content, but you definitely don't want that for static file serving. When we get the Apache guide out, I think it would be useful to include in it configuration/policy tweaks people needed to get particular PHP applications to run. > etc, then you > are going to have to either write a shed-load of SELinux policy specific > to your configuration, I've been thinking recently about how to make this easier. > or you're going to disable the httpd target in > s-c-securitylevel. That's just a fact of SELinux as far as I can tell. > > The conclusion I draw from this is, as I've said before, that it's not > correct to have httpd covered by the SELinux policy *by default*. I'm not sure; we've seen lots of issues, sure, but that's not surprising. There are a *lot* of people doing a lot of different things with Apache. The current policy works very well for static file serving and "typical" CGI scripts. I don't have a good sense for how many people are using Apache just for this kind of thing versus complex PHP apps. But just like we ship Apache with the "UserDir" option disabled, directory indexing disabled, I think it makes sense to ship with Apache locked down tightly by SELinux per default, and have people open things up as they need it.
