Thanks Stephen. See answers below.
-brett
> On Tue, 2005-04-26 at 23:09 -0400, brett wrote:
> > Hi,
> >
> > I had to disable SELinux on my apache httpd in order to get my php scripts
> > to work. They proc_open() gpg and SELinux didn't like that. Is there
> > anyway to allow gpg to get through proc_open() so i can still have SELinux
> > checking up on my webserver?
>
> Details, please:
> - what policy are you running: strict or targeted, FC3 or FC4/devel?
targeted. FC3
> - what httpd_* booleans do you have enabled?
httpd_disable_trans active
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
> - where have you placed the keyring for gpg that you want accessible via
> httpd?
/home/test/.gnupg
test is a user. Also, i plan on using symmetric encryption so i don't
think it needs the keyring file.
> - what avc denials did you get in /var/log/messages (FC3)
> or /var/log/audit/audit.log (FC4)?
Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc: denied {
execute } for pid=6266 comm=gpg path=/etc/ld.so.cache dev=dm-0
ino=3919093 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ld_so_cache_t tclass=file
Apr 24 22:29:06 razorfold kernel: audit(1114396146.398:0): avc: denied {
execmod } for pid=6266 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=4972274
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:bin_t tclass=file
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
