I checked your changes and webalizer worked, thank you. Russell Coker <russell@xxxxxxxxxxxx> wrote: > As a general rule we don't want to allow any daemons access to the > administrator console if we can avoid it. I'm not sure what the best thing > to do for webalizer is in this regard. I am not sure. What can attacker do , when he obtains write access right to console file? > We could have /var/www/usage labelled as httpd_sys_content_t. That gives less > types (less pain) for no significant decrease in security. I should probably > make a similar change to calamaris_t. I think we should pay attention when we give write access to homepage, because many users think homepage is important. In this configuration, if attacker has webalizer_t domain by some way, he can compromise whole homepages. And if administrator misconfigured /etc/webalizer.conf, homepages may be broken. I think we should give new type to /var/www/usage . --- Yuichi Nakamura Japan SELinux Users Group(JPSEG) http://www.selinux.gr.jp/
