Re: selinux is a pain
- From: Bruno Wolff III <bruno@xxxxxxxx>
- Date: Tue, 20 Sep 2011 08:57:52 -0500
On Tue, Sep 20, 2011 at 09:31:14 -0300,
Martín Marqués <martin.marques@xxxxxxxxx> wrote:
For example, I moved the trac repos to /var/lib/trac, and so apache
needs extra append and access policy on some of those directories. How
would I add those policies?
If you move stuff around that affects the default labelling. You can use
semanage and restorecon to have the new location have the correct defaults.
Giving the web server access to stuff is risky. The level of risk and benefit
is something you need to evaluate. But you can label the new location so
that it will be accessible to the web server. This may cause issues for
other processes trying to read or write thise files. If so, you may need
to do a custom policy. The simplest thing is to use audit2allow to see
what access is needed to allow the service to run. (If done in enforcing mode
this might take a few iterations.) However you might not want to let the
web server have access to all files labelled say var_lib_t. So it may turn
out that you need to create some new labels for the specific files you
want to let the web server have access to.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
- Follow-Ups:
- Re: selinux is a pain
- From: Richard Shaw
- Re: selinux is a pain
- References:
- selinux is a pain
- From: Martín Marqués
- Re: selinux is a pain
- From: Ed Greshko
- Re: selinux is a pain
- From: Martín Marqués
- selinux is a pain
- Prev by Date: Re: selinux is a pain
- Next by Date: Re: How to permanently delete root CAs from mozilla products?
- Previous by thread: Re: selinux is a pain
- Next by thread: Re: selinux is a pain
- Index(es):
Relevant Pages
|
