mod_selinux denial with httpd
Miroslav Grepl
mgrepl at redhat.com
Mon Aug 3 11:00:26 UTC 2015
On 08/03/2015 06:34 AM, William Brown wrote:
> Hi,
>
> I'm trying to work on getting mod_selinux into EPEL.
>
> When testing this, I noticed the following denial:
>
> type=AVC msg=audit(1438573551.889:484): avc: denied { setcurrent } for
> pid=4988 comm="httpd" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
>
> What's the best approach to getting this into the selinux policy for rhel /
> mod_selinux? Should this be a boolean that you need to enable? Given the ability
> to change process context is powerful, I don't think it should be a default.
>
> Or should mod_selinux have this as a boolean, and define some extra types to
> transition down into to help make this a more secure default?
>
> Your advice is appreciated.
>
> Sincerely,
>
>
>
What OS do you use? On Fedora, mod_selinux comes with own SELinux policy
where it is allowed.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list