- From: Ville Skyttä <ville.skytta@iki.fi>
- Date: Mon, 27 Jun 2005 11:53:03 +0300
- To: QA-dev Dev <public-qa-dev@w3.org>
On Mon, 2005-06-27 at 13:35 +0900, olivier Thereaux wrote: > Forgot to include relevant URIs I gathered through my quick research so > far: > "How do I go about writing a policy for a new program foo ?" (from the > unofficial FAQ) > -> http://www.crypt.gen.nz/selinux/faq.html#BSP.5 > "FC3, Apache and CGI web app" mail thread > -> http://www.nsa.gov/selinux/list-archive/0502/thread_body65.cfm > "Understanding and Customizing the Apache HTTP SELinux Policy" > -> http://fedora.redhat.com/docs/selinux-apache-fc3/ The last one is good reading, especially the "Individual Domains for Particular CGI Scripts" chapter. The doc has unfortunately not yet been updated for FC4, which places even more restrictions on CGI scripts than the FC3 policy, so it might not be entirely accurate. Another note, not critical but from the "good to know" department: getting the Validator to run under mod_perl in these environments could be, AFAICT, even tougher than running it as a CGI script. Under mod_perl, we're running inside or as part of the httpd process, and so the policy rules need to be applied to httpd, not the individual script. PHP is in sort of a similar situation, and there are some rules for it in the httpd policy, so it's probably doable. But the CGI part should come first anyway. > If you have other good documents to read on the topic, please send them > in. Not a document per se, but interactive help and discussion is available on the fedora-selinux-list, http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Received on Monday, 27 June 2005 08:53:08 UTC