Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
PacketFence 4.0 released
Posted May 11, 2013 5:07 UTC (Sat) by dlang (✭ supporter ✭, #313)
With AppArmor there is the potential for a package to include a policy file that only applys to it, but even that is dangerous.
But you _really_ don't want to start allowing packages (especially packages you don't download from your distro) to modify your global SELinux policy.
If you start doing these sorts of things, you may as well just disable the security policy entirely.
Posted May 16, 2013 20:17 UTC (Thu) by dpquigl (guest, #52852)
There is a policy that is upstream of the Fedora/RHEL policies. Its called reference policy. If you want your application to work on any distro that consumes reference policy then just work with us and get it written and included and then you get the downstream benefits. However if you decide to punt instead then you can't really blame us for your application not being supported.
I'd imagine that one of the many issues they have is with their administration interface. I'm sure its getting installed to some non-standard location and the SELinux labeling is all messed up. Then I'd also imagine its trying to run all sorts of confined commands from Apache's context. You can see why its probably good that we don't allow this by default.
There are more than enough people capable of spending the time to help them write a policy to confine their webapp admin interface.Hell, if this were my job still and I had time to do more than consolidate helpful SELinux information I'd help personally.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds