applying SELinux policy for httpd
Joe Orton
jorton at redhat.com
Thu Nov 3 14:22:46 UTC 2005
On Thu, Nov 03, 2005 at 09:12:24AM -0500, Stephen Smalley wrote:
> On Thu, 2005-11-03 at 14:10 +0000, Joe Orton wrote:
> > On Thu, Nov 03, 2005 at 09:00:04AM -0500, Stephen Smalley wrote:
> > > On Thu, 2005-11-03 at 10:15 +0000, Joe Orton wrote:
> > > > I'd also like to mention again that the new FC4 policy of only applying
> > > > SELinux policy if httpd is started from the init script is confusing the
> > > > hell out of people. It breaks the principle of least astonishment. I'd
> > > > much rather live with the fact that SELinux policy is *always* applied,
> > > > and the fallout from that, than see this confusion of people hitting
> > > > SELinux policy issues, get confused, restart httpd, see them disappear,
> > > > etc.
> > > >
> > > > I'd really like to see this change reverted for FC5.
> > >
> > > Previously discussed in this thread:
> > > http://marc.theaimsgroup.com/?t=112089638800001&r=1&w=2
> >
> > The argument above still stands after the change to make apachectl
> > behave like the init script. People are still getting confused by the
> > fact that Apache behaves differently if started via /usr/sbin/httpd.
>
> That's fine, but they then need to know to use runcon or to enable
> httpd_tty_com if they want to run httpd -t and see the output on their
> tty.
It's a trade-off and this is the more acceptable option to me.
Consistently different is better than inconsistently different. (but I
would really also prefer that httpd_tty_comm was active by default to
avoid that issue as well)
> Likewise for cgis, unless they are handled differently.
What's the problem for CGI scripts, I'm not sure what you're referring
to here?
Regards,
joe
More information about the selinux
mailing list