Apache2 requires some weird socket access, that I traced to the following (by disabling all the dontaudits in the apache.te):

Oct 9 19:16:20 nsa2 kernel: avc: denied { read } for pid=5347 exe=/usr/sbin/apache2 path=/1 dev=00:07 ino=3 scontext=system_u:system_r:httpd_t tcontext=tom:object_r:sysadm_devpts_t tclass=chr_file

piping that into newrules tells me:

allow httpd_t sysadm_devpts_t:chr_file { read };

Which to my (still somewhat green) ears doesn't sound like a tremendously great idea.
It uses this only during startup, so I'm not entirely sure what it's doing. Anyone else played with Apache2 already?

--

PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>

     Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5

--

This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 9 Oct 2002 - 11:42:24 EDT