> > If you organize your /var/www > tree in a conventional manner, then it should work fairly smoothly. > Problems arise when people put CGIs all over the place (not just in cgi- > bin), and don't use any conventions in separating files that should be > read-only vs. read-write. OK, you are selling me on the /var/www tree. What is "a conventional manner." Needless to say you don't have to explain it all to me, perhaps you can point me to a resource that describes what you are talking about. For example, where do user PHP scripts live in this tree? Are they readable\writable by others? > Simplest thing to do is just to install policy sources and just allow > the permissions you want, e.g. > yum install selinux-policy-targeted-sources > cd /etc/selinux/targeted/src/policy > repeat: > audit2allow -d >> domains/misc/local.te > make load > <retry operation> > <goto repeat if it fails> > > Might be quicker to switch to permissive mode (setenforce 0), run your > CGI via apache, then run audit2allow once, as that will then collect > _all_ of the audit messages that would have been denied in enforcing > mode. So selinux-policy-targeted-sources is something that lets me change policy? And audit2allow is something that monitors what processes are open and "allows" them to pass through SELinux? Thanks, -brett -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
