A cgi issue
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 16 14:55:16 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/16/2013 10:11 AM, m.roth at 5-cent.us wrote:
> Before I create a local policy, could someone explain to me the reason that
> the standard policy (CentOS 6.4,
> selinux-policy-3.7.19-195.el6_4.12.noarch,
> selinux-policy-targeted-3.7.19-195.el6_4.12.noarch) does not allow a .cgi
> script to read a configuration file?
>
> grep ticket2 /var/log/audit/audit.log | audit2allow
>
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> httpd_config_t:file { read ioctl open getattr };
>
> mark
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Probably because no one has asked. I guess you could argue their could be
private data in these files and we would not want to allow cgi scripts to read
it? Potentially secrets.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHlXtQACgkQrlYvE4MpobOocwCeLZcAfMkbYdFcCZYG1TCClcb2
fy8AniyDj2psX5YZLPRYcHrmFYvMYcBJ
=ryJK
-----END PGP SIGNATURE-----
More information about the selinux
mailing list