Re: mod_selinux denial with httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/03/2015 06:34 AM, William Brown wrote:
> Hi,
> 
> I'm trying to work on getting mod_selinux into EPEL.
> 
> When testing this, I noticed the following denial:
> 
> type=AVC msg=audit(1438573551.889:484): avc:  denied  { setcurrent } for 
>  pid=4988 comm="httpd" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
> 
> What's the best approach to getting this into the selinux policy for rhel /
> mod_selinux? Should this be a boolean that you need to enable? Given the ability
> to change process context is powerful, I don't think it should be a default.
> 
> Or should mod_selinux have this as a boolean, and define some extra types to
> transition down into to help make this a more secure default?
> 
> Your advice is appreciated.
> 
> Sincerely,
> 
> 
> 
What OS do you use? On Fedora, mod_selinux comes with own SELinux policy
where it is allowed.



-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux