SELinux, mod_perl 2.x, Apache::DB
[prev]
[thread]
[next]
[Date index for 2005/03/23]
If you run a Fedora or RedHat box with SELinux enabled, then you will find
that you can't use Apache::DB to interactively debug your code. The issue
is the default for the "targeted" policy is to not allow apache to
interact with the console.
The solution is two fold:
1. You need to run the command "setsebool httpd_tty_comm true" which will
activate some conditional policy rules to allow apache to communicate with
the console.
2. The conditional rules do not allow all the permissions you need for
interactive debugging, so you need to add this to your locale.te file and
reload the policy.
if (httpd_tty_comm) {
allow { httpd_t } admin_tty_type:chr_file { ioctl getattr };
}
I thought I would post this in case anyone else runs into this issue.
Working with apache on a machine with SELinux enabled can be tricky at
times, but it is definitely a decent tool to assist you in security.
I will send a documentation patch to Frank Wiles later this week, but it
will probably be awhile be for he gets Apache::DB updated since he is just
returning from a vacation.
//========================================================\\
|| D. Hageman <dhageman@xxxxxxx.xxx> ||
\\========================================================//
 |
 |
SELinux, mod_perl 2.x, Apache::DB
D. Hageman 17:36 on 23 Mar 2005
|