If you organize your /var/www
tree in a conventional manner, then it should work fairly smoothly.
Problems arise when people put CGIs all over the place (not just in cgi-
bin), and don't use any conventions in separating files that should be
read-only vs. read-write.
OK, you are selling me on the /var/www tree. What is "a conventional
manner." Needless to say you don't have to explain it all to me, perhaps
you can point me to a resource that describes what you are talking about.
For example, where do user PHP scripts live in this tree? Are they
readable\writable by others?
> Simplest thing to do is just to install policy sources and just allow
> the permissions you want, e.g.
> yum install selinux-policy-targeted-sources
> cd /etc/selinux/targeted/src/policy
> repeat:
> audit2allow -d >> domains/misc/local.te
> make load
> <retry operation
> <goto repeat if it
fails
> Might be quicker to switch to
permissive mode (setenforce 0), run your
> CGI via apache, then run audit2allow once, as that will then collect
> _all_ of the audit messages that would have been denied in enforcing
> mode.
So selinux-policy-targeted-sources is something that lets me change
policy?
And audit2allow is something that monitors what processes are open and
"allows" them to pass through SELinux?
Thanks,
-brett