Daniel J Walsh wrote:
Joe Orton wrote:
I'd also like to mention again that the new FC4 policy of only
applying SELinux policy if httpd is started from the init script is
confusing the hell out of people. It breaks the principle of least
astonishment. I'd much rather live with the fact that SELinux policy
is *always* applied, and the fallout from that, than see this
confusion of people hitting SELinux policy issues, get confused,
restart httpd, see them disappear, etc.
Maybe we could put something in apache to check if httpd_tty_comm is
active or at least see if writing to the terminal is allowed, if
(access(tty, W_OK)) then put a message in the log file stating that
output to the terminal is disabled you can enable using setsebool or
system-config-securitylevel.
We can change the default to httpd_tty_com being true, but this
potentially allows cgi scripts to interact with the terminal, by default.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
