Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: New Apache policy
From: Russell Coker <russell_at_coker.com.au>
Date: Thu, 24 Oct 2002 16:43:38 +0200
The problem with PHP is that it requires giving the httpd_t domain more access than you might otherwise want.
I am thinking of addressing this by having some macros file doing define()
statements for what functionality you want. So you could do the following if
you want PHP:
Your comment about sysadm terminal access is inaccurate. Apache2 should work perfectly when started from system boot! I suggest using r_dir_file() for the config entries, it means 1 line of policy instead of 3 and makes it easier to read.
> However, I have also included my very first own from-scratch policy +# svn_t is the domain for the subversion client programs. +# svn_sysadm_t is the domain for the subversion client programs if run by the sysadmin. Why not use a macro for this as is done for the user_irc_t, user_ssh_t, etc? I think that using a macro will give better security and also make the policy easier to read and manage.
> Finally, there is also a tiny fix for postfix that is required on my The thing to do with Postfix is to configure it to not use chroot. I think that configuring Postfix with chroot on SE Linux actually decreases security as the types of the files for the chroot environment (which are re-copied at every system boot) are difficult to manage. If you have chroot with Postfix you will have to do MUCH more than 1 line of changes to get it working properly! -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 24 Oct 2002 - 11:09:13 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |