On Mon, 2005-03-21 at 23:13 -0800, Ben wrote: > My CGI does use glib threads; is that a bad thing? Not a bad thing. I think the CGI script policy author hadn't tested multi-threaded scripts. > I would like to use SELinux, but there's "like" and "need", and right > now I need to get this working. So, if there's no quick fix, is there a > way to disable SELinux on just this one CGI, do I have to disable it > for all of apache? You have three options basically: 1) Disable enforcement for Apache 2) Install policy source and add the permission 3) Wait for a FC3 policy update with this fixed One thing that we had recently discussed doing is adding a httpd_sys_script_unconfined_exec_t type, which when executed by httpd_t would cause a transition to unconfined_t (i.e. not be confined by SELinux). But I don't think this is done yet. For 1), see the Fedora SELinux FAQ. For 2, see: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0096.html Or: http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizing.html#sn-simple-changes-to-policy-source The major caveats with maintaining your own modified policy in this fashion at the moment are that you have to know about using "make" etc. to build it, and it's somewhat fragile with respect to upgrades. Upstream SELinux work is going to make it a lot easier to create and maintain policy changes from a binary policy.
