Creating a SElinux module for cgi scripts

  • Posted on: 13 September 2013
  • By: marceln
Track: 
System Administration
Day: 
Sunday
Author: 
Marcel Nijenhof
Room: 
Track 1 (left)
Undefined
Paper: 

SELinux is a security framework to enforce security polices. In the
default set up of SELinux many external accessible daemons have polices
that restrict access to the system. In this way these polices are an
extra layer of protection for the system.

In many cases these restrictions are useful. But there are cases where
you want to allow access which is prohibited by the default policy.

One example of such a restriction is that general access to "/proc" is not
allowed from the webserver. This restriction will prevent to create a
complete listing of "ps -ef" from a cgi script.

We will demonstrate how to create a SElinux module which allows this
access for just one script without disabling SElinux.

Time: 
12:00 - 13:00 hrs
field_vote: 
0
No votes yet