[CentOS] httpd and krb5.conf
Doug Koobs
dkoobs at dkoobs.com
Thu May 19 12:02:16 UTC 2005
Aleksandar Milivojevic said:
> I've noticed that SELinux blocks httpd (standard CentOS httpd, simply
> installed from RPM) from writing to krb5.conf file. Question. Why on
> earth would httpd need write access to krb5.conf file?! Sure, it might
> need read access if it is configured to use Kerberos for authentication,
> but write!? I mean, web server that modifies one of the critical files
> (which is used for authentication/authorization)?
> _______________________________________________
Allow me to display my ignorance of all thing SELinux:
SELinux is suppossed to restrict services and programs from performing actions that
they don't have a need to be doing. Since httpd has no reason to to write to the
krb5.conf file, SELinux restricts it. Kind of like a "Need to Know" policy. If
you're not familar with Mandatory Access Control, read up on it; I think that is
what SELinux is about.
Doug
More information about the CentOS
mailing list