undefined | Better HN

0 pointsmodule00009y ago0 comments

If your www-user can read /etc/passwd without 'avc: denied' appearing in your selinux log, you are doing it wrong.

The whole idea behind selinux is to prevent this scenario from ever happening. Apache has a policy written for it, that specifies precisely which paths and contexts apache needs <X> type of access to. If it tries to access anything outside those paths and context, the selinux module denies the attempt. It's foolproof if you use it. It's also incredibly annoying if you are on a system with selinux enabled, but aren't familiar with selinux.

0 comments

dispose134329y ago

It's true, but containers are much easier to play with if your distro doesn't come with sane presets (Debian, for one)

j / k navigate · click thread line to collapse

0 pointsmodule00009y ago0 comments

If your www-user can read /etc/passwd without 'avc: denied' appearing in your selinux log, you are doing it wrong.

0 comments

dispose134329y ago

It's true, but containers are much easier to play with if your distro doesn't come with sane presets (Debian, for one)

j / k navigate · click thread line to collapse