SELinux managing-confined-services guide - call for review
Dominick Grift
domg472 at gmail.com
Thu Apr 23 11:21:22 UTC 2009
On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
> I would greatly appreciate any and all comments or corrections that
> anyone has on it.
I like the examples, unfortunately with regard to for example Apache you
do not have an example for each boolean. That would probably be too
much, but it would be the best way to shows when to use which boolean or
combination of booleans.
For example we have had an issue on #fedora-selinux were httpd couldnt
do some permission to httpd_sys_content_t.
setroubleshoot suggested httpd_unified, but even with that bool set to
true, httpd was not able to do (i forgot which permission it was) to the
file.
I suggested to the user to just label the file httpd_sys_content_rw_t
and get it over with. (this worked)
However later dwalsh suggested that this wasnt just solved by
httpd_unified because it required a combination of booleans to be set.
im not sure i remember correct which combination this was but i think:
httpd_enable_cgi, httpd_unified, httpd_enable_homedir
my point is that the idea of including examples is a very good idea in
my view but that there arent so many examples.
More information about the selinux
mailing list