begin quoting Tracy R Reed as of Tue, Nov 08, 2005 at 12:06:12PM -0800:
> George Geller wrote:
> > So many holes in the normal rules are required that I doubt it is worth
> > the effort. Last time I checked, the TikiWiki guys recommended turning
> > SE Linux off.
>
> Looks like you only need to add 4 rules to make tikiwiki work:
>
> allow httpd_sys_script_t self:capability { chown dac_override fowner
> fsetid };
> allow httpd_sys_script_t devpts_t:chr_file { read write };
> allow httpd_sys_script_t devpts_t:chr_file { getattr ioctl };
> allow httpd_sys_script_t devpts_t:dir search;
The finer-grained the control, the harder the rules are to read. :-/
> Is that not right? None of these rules allow binding to local UDP ports
> or writing to /tmp. The Lupper worm would be foiled. Seems plenty worth
> it to me.
Surely you'd want to disable access to gcc as well. Or is that just for
the previous worm?
[snip]
-Stewart "SELinux documentation :: insomnia cure" Stremler
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
