W3C home > Mailing lists > Public > public-qa-dev@w3.org > June 2005

Re: Regarding WMVS packages in FC3 and FC4

From: Ville Skyttä <ville.skytta@iki.fi>
Date: Mon, 27 Jun 2005 11:53:03 +0300
To: QA-dev Dev <public-qa-dev@w3.org>
Message-Id: <1119862383.22291.184.camel@localhost.localdomain>

On Mon, 2005-06-27 at 13:35 +0900, olivier Thereaux wrote:

> Forgot to include relevant URIs I gathered through my quick research so 
> far:
> "How do I go about writing a policy for a new program foo ?" (from the 
> unofficial FAQ)
> -> http://www.crypt.gen.nz/selinux/faq.html#BSP.5
> "FC3, Apache and CGI web app" mail thread
> -> http://www.nsa.gov/selinux/list-archive/0502/thread_body65.cfm
> "Understanding and Customizing the Apache HTTP SELinux Policy"
> -> http://fedora.redhat.com/docs/selinux-apache-fc3/

The last one is good reading, especially the "Individual Domains for
Particular CGI Scripts" chapter.  The doc has unfortunately not yet been
updated for FC4, which places even more restrictions on CGI scripts than
the FC3 policy, so it might not be entirely accurate.

Another note, not critical but from the "good to know" department:
getting the Validator to run under mod_perl in these environments could
be, AFAICT, even tougher than running it as a CGI script.  Under
mod_perl, we're running inside or as part of the httpd process, and so
the policy rules need to be applied to httpd, not the individual script.
PHP is in sort of a similar situation, and there are some rules for it
in the httpd policy, so it's probably doable.  But the CGI part should
come first anyway.

> If you have other good documents to read on the topic, please send them 
> in.

Not a document per se, but interactive help and discussion is available
on the fedora-selinux-list,
Received on Monday, 27 June 2005 08:53:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:54:49 UTC