"Dominick Grift wrote:"
--===============0256136332==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s"
Content-Disposition: inline
--Fig2xvG2VGoz8o/s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> A common virtual web hosting set up would be a web root directory
> location with the following sub directories:
> ftp
> logs
> pages
> pages/cgi-bin
>=20
> Under ftp you would have all that is needed for a chroot ftp sandbox.
> Since each virtual host would be a different user and or company how
> does one change sebool httpd_unified to off and get it all to work with
> selinux?
Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w=
hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr=
ipting booleans. Then label the locations with a proper type.
I'm not sure the statement that PHP needs httpd_unified on is correct in
Fedora 12. I just finished doing some testing of Mythtv with this
setting turned off. I tested all TV recording, weather, and streaming
video available through the web interace and it all seems to be working
now. Granted there is a lot more to full backend Mythtv setup but it was
looking pretty good. Dan has put in two policy updates which should be
out pretty soon.
I'm not done, but I also ran a quick test of squirrelmail with dovecot
for off site email access and that appears to be working. Squirrelmail
is all PHP.
for example:
# ftp:
/srv/ftproot(/.*)? public_content_rw_t
setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo=
t) (for php/httpd unified)
setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s=
cripts to write to /srv/ftproot (other cgi)
# logs
/srv/www/logs(/.*)? httpd_sys_content_ra_t=20
# static content
/srv/www/html(/.*)? httpd_sys_content_t
# cgi
/srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
The above is just an example. It may or may not be what you would want.
>=20
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--Fig2xvG2VGoz8o/s
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR
PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
=nF/1
-----END PGP SIGNATURE-----
--Fig2xvG2VGoz8o/s--
--===============0256136332==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--===============0256136332==--
--
Regards,
David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB:
http://www.highley-recommended.com
Federal Way, WA 98023-7732