On Thu, 2005-11-03 at 14:10 +0000, Joe Orton wrote: > On Thu, Nov 03, 2005 at 09:00:04AM -0500, Stephen Smalley wrote: > > On Thu, 2005-11-03 at 10:15 +0000, Joe Orton wrote: > > > I'd also like to mention again that the new FC4 policy of only applying > > > SELinux policy if httpd is started from the init script is confusing the > > > hell out of people. It breaks the principle of least astonishment. I'd > > > much rather live with the fact that SELinux policy is *always* applied, > > > and the fallout from that, than see this confusion of people hitting > > > SELinux policy issues, get confused, restart httpd, see them disappear, > > > etc. > > > > > > I'd really like to see this change reverted for FC5. > > > > Previously discussed in this thread: > > http://marc.theaimsgroup.com/?t=112089638800001&r=1&w=2 > > The argument above still stands after the change to make apachectl > behave like the init script. People are still getting confused by the > fact that Apache behaves differently if started via /usr/sbin/httpd. That's fine, but they then need to know to use runcon or to enable httpd_tty_com if they want to run httpd -t and see the output on their tty. Likewise for cgis, unless they are handled differently. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
