From: Tom <tom@lemuria.org>
To: SELinux <SELinux@tycho.nsa.gov>
Subject: apache 2 patch
Date: Thu, 24 Oct 2002 11:53:04 +0200 [thread overview]
Message-ID: <20021024115304.A31446@lemuria.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 650 bytes --]
The attached patch fixes the apache policy so that apache 2 works fine
in enforcing mode.
However, I am very unhappy with the read/write permissions on the
sysadm terminals. Here are some ideas I had to fix that, and I'd like
to hear comments on them:
a) try to fix the problem in the apache source.
b) write a wrapper that relabels the current (active) pts/tty and allow
permission to that label only
c) write a wrapper that fuddles with the terminals.
--
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
[-- Attachment #2: apache2.diff --]
[-- Type: text/plain, Size: 1867 bytes --]
*** default/domains/program/apache.te Thu Oct 17 01:24:36 2002
--- current/domains/program/apache.te Thu Oct 24 13:38:23 2002
***************
*** 367,380 ****
########################################
# When the admin starts the server, the server wants to acess
! # the TTY or PTY associated with the session. The httpd appears
! # to run correctly without this permission, so the permission
! # are commented out here. If you decide that access is needed,
! # then uncomment, but be aware that this will grant httpd access
! # to all sysadm_r TTYs and PTYs.
##################################################
! allow httpd_t admin_tty_type:chr_file write;
! dontaudit httpd_t admin_tty_type:chr_file { read write };
###########################
# Allow httpd to receive messages from the network card
--- 367,381 ----
########################################
# When the admin starts the server, the server wants to acess
! # the TTY or PTY associated with the session. This is very bad
! # behaviour as it allows the server access to the sysadm_r TTYs
! # and PTYs, but apache2 doesn't work without.
! # If you run apache 1.x.x, try disabling this. For apache2,
! # this is currently the only solution.
##################################################
! allow httpd_t admin_tty_type:chr_file { read write };
! allow httpd_t sysadm_devpts_t:chr_file { read write };
!
###########################
# Allow httpd to receive messages from the network card
***************
*** 401,406 ****
--- 402,408 ----
###################################################
allow httpd_t httpd_config_t:file r_file_perms;
allow httpd_t httpd_config_t:dir r_dir_perms;
+ allow httpd_t httpd_config_t:lnk_file r_file_perms;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
next reply other threads:[~2002-10-24 9:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-24 9:53 Tom [this message]
2002-10-24 10:21 ` apache 2 patch Russell Coker
2002-10-24 10:31 ` Tom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021024115304.A31446@lemuria.org \
--to=tom@lemuria.org \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.