Hi
For instance, I'd tried using some CGI (and other languages) scripts to
do various things, such as show a man page in the browser. To do so
with SELinux would require changing lots of permissions in various
places. It's tedious to do, and not intuitive (there's some damn awful
labelling involved with SELinux).
should be easy enough to enable httpd_enable_cgi if it isnt already. The
following Apache related booleans are available
allow_httpd_anon_write --> inactive
allow_httpd_sys_script_anon_write --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
You can use system-config-securitylevel or setsebool
I feel that SELinux and firewalls are a bit of a scam. You're hoping
that some third object will protect you against a flaw in what you're
using (Apache, for instance), instead of properly fixing whatever you're
using.
If the policies restrict access, you can conclusively restrict the
amount of damage through SELinux. While it is indeed good for software
themselves to be fixed SELinux design is based on the assumption that
all software is inherently flawed. That way you get an extra level of
protection
http://www.nsa.gov/selinux/papers/inevit-abs.cfm
regards
Rahul
