George Geller wrote:
> So many holes in the normal rules are required that I doubt it is worth
> the effort. Last time I checked, the TikiWiki guys recommended turning
> SE Linux off.
Looks like you only need to add 4 rules to make tikiwiki work:
allow httpd_sys_script_t self:capability { chown dac_override fowner
fsetid };
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t devpts_t:chr_file { getattr ioctl };
allow httpd_sys_script_t devpts_t:dir search;
Is that not right? None of these rules allow binding to local UDP ports
or writing to /tmp. The Lupper worm would be foiled. Seems plenty worth
it to me.
> That's one or the reasons I switched to plone.
One of the reasons you switched to plone is because it is easier to
configure SE Linux to work with plone?
--
Tracy R Reed
http://copilotconsulting.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
