mod_selinux denial with httpd
William Brown
william at blackhats.net.au
Mon Aug 3 04:34:53 UTC 2015
Hi,
I'm trying to work on getting mod_selinux into EPEL.
When testing this, I noticed the following denial:
type=AVC msg=audit(1438573551.889:484): avc: denied { setcurrent } for
pid=4988 comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process
What's the best approach to getting this into the selinux policy for rhel /
mod_selinux? Should this be a boolean that you need to enable? Given the ability
to change process context is powerful, I don't think it should be a default.
Or should mod_selinux have this as a boolean, and define some extra types to
transition down into to help make this a more secure default?
Your advice is appreciated.
Sincerely,
--
William Brown <william at blackhats.net.au>
More information about the selinux
mailing list