SELinux/httpd integration
Joe Orton
jorton at redhat.com
Tue Nov 23 15:48:22 UTC 2004
On Mon, Nov 22, 2004 at 05:59:10PM -0500, Colin Walters wrote:
> On Mon, 2004-11-22 at 17:30 -0500, Yuichi Nakamura wrote:
>
> > I think it should grant fewer permissions.
> > Why httpd_t should write all contents in httpd_unified ?
>
> Ah, I see what you're saying now. Right. Dan added that recently for
> PHP scripts, I believe.
>
> > So, I feel that allowing httpd_t write permission to all contents is out of scope of httpd_unified.
>
> I agree now. Conceptually they are separate things. A new boolean like
> httpd_content_writable sounds good to me. Sorry about misunderstanding
> you originally.
But this is boolean is going to be on by default?
I'm going to add this text to /etc/httpd/conf.d/subversion.conf since it
(currently :) works out-of-the-box: is the terminology "labelled with a
context" correct?
#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn". Each repository
# must be readable and writable by the 'apache' user. Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www.
#
More information about the selinux
mailing list