selinux is a pain
alan at lxorguk.ukuu.org.uk
Tue Sep 20 18:57:15 UTC 2011
> If so, no wonder you're having grief. While SELinux was off, your
> system was writing files without setting any SELinux contexts. So,
If SELinux was set to permissive then it was writing data but allowing
actions, if not then when you switched it on it would have done an
automatic relabel on boot.
This looks like the standard SELinux and cgi stuff. It's in the
RHEL/Centos manual and very well documented elsewhere.
Essentially however file permissions are not enough to enable the
security policy to tell the difference between 'I've just busted your
php script again' and 'legitimate access'. Labelling the cgi, scripts and
data files allows you to tell it which files should be acessible and in
what way - which dramatically cuts the impact of the php exploit.
More information about the users