Another Apache problem

Daniel J Walsh dwalsh at redhat.com
Mon Apr 4 21:01:03 UTC 2005


David Hampton wrote:

>On Mon, 2005-04-04 at 16:09 -0400, Daniel J Walsh wrote:
>
>  
>
>>Do you have httpd_unified && httpd_enable_cgi && httpd_builtin_scripting 
>>turned on?
>>
>>getsebool -a | grep httpd
>>    
>>
>
>httpd_builtin_scripting --> inactive
>httpd_can_network_connect --> inactive
>httpd_enable_cgi --> active
>httpd_enable_homedirs --> active
>httpd_ssi_exec --> active
>httpd_tty_comm --> inactive
>httpd_unified --> inactive
>
>I don't think I've ever set any of these (except maybe homedirs), so I
>can't tell you why they are in this state.
>
>  
>
>>setsebool -P httpd_enable_cgi=1 httpd_unified=1 httpd_builtin_scripting=1
>>Will turn it on.
>>    
>>
>
>Thanks.
>
>My question is the obvious one.  Why do I need to enable cgi, unified
>and scripting in order to serve static web pages?
>
>David
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
Because we have a bug in policy.

All you needed to turn on is httpd_builtin_scripting=1

r_dir_file(httpd_t, http_$1_content_t) was locked in this boolean.

I have moved it outside and  once you update to tomorrows policy, you should
be able to turn off all booleans and still serve pages.

Updated policy is available now at
Fedora/selinux-policy-*-1.23.6-3.noarch.rpm
ftp://people.redhat.com/dwalsh/SELinux/Fedora

-- 





More information about the selinux mailing list