Mailing List Archive: MythTV: Dev

mythweb selinux settings

Index | Next | Previous | View Threaded

hobbes1069 at gmail

Apr 23, 2012, 7:34 AM

Post #1 of 3 (249 views)
Permalink

mythweb selinux settings

I have a bug report[1] for the RPM Fusion package related to mythweb.
He has some suggestions about selinux settings that I'm not familiar
with so I figured I'd post here and see if:

1. Are they a good idea for mythweb functionality or performance?
2. Are there security implications where I wouldn't want to set this
automatically?

The selinux settings in question:
setsebool httpd_builtin_scripting on
setsebool httpd_can_network_connect on
setsebool httpd_can_network_connect_db on

Thanks,
Richard

[1] https://bugzilla.rpmfusion.org/show_bug.cgi?id=2291
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev

gary.buhrmaster at gmail

Apr 23, 2012, 7:41 PM

Post #2 of 3 (229 views)
Permalink

Re: mythweb selinux settings [In reply to]

> 1. Are they a good idea for mythweb functionality or performance?

The *may* be needed if you are running selinux in various
enforcing modes, and depending on your policies.

> 2. Are there security implications where I wouldn't want to set this
> automatically?

This is as much philosophical as strictly technical.

If *I* am running selinux, I do not want packages to
change my httpd selinux settings silently or without
my permission. I have absolutely no problem if I am
asked, but if I want my system secure, I want it
to stay secure until *I* explicitly approve of a
change.

I believe that such requirements (as in configuring
httpd itself) should be documented in the README(s),
and for those that do not RTFM, well, so be it.
The bugzilla entry does indicate that this should
be in the README, so I would agree with that
recommendation (and no to automatic mangling).

There are certainly others that think that systems
should simply change security configurations as
needed (they are also the group more likely to run
MythTV as root.)

OT question: how many people are running MythTV
with selinux in full enforcing mode (rather than
permissive or disabled)? I remember trying to run
my combined BE/FE in enforcing mode many many
many many years ago (and many many many
configuration changes ago), and things did not go
well (it was due to my choice of partitioning, and
the evil use of twisty symlinks, all different). Is
enforcing mode now considered best practice?

> The selinux settings in question:
> setsebool httpd_builtin_scripting on

This already defaults to on for "targeted" mode
and should not be needed unless someone
has explicitly turned it off, but reminding them
is not badness.

> setsebool httpd_can_network_connect on
> setsebool httpd_can_network_connect_db on

These default to off, and for full functionality
would need to be set to on for at least *some*
configurations (I am not sure if "localhost"
counts as a network/db connection, but even
so, in the general case, you may need them).

Gary
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev

kkuphal at gmail

Apr 24, 2012, 5:33 AM

Post #3 of 3 (221 views)
Permalink

Re: mythweb selinux settings [In reply to]

On Mon, Apr 23, 2012 at 9:41 PM, Gary Buhrmaster
<gary.buhrmaster [at] gmail>wrote:

> OT question: how many people are running MythTV
> with selinux in full enforcing mode (rather than
> permissive or disabled)? I remember trying to run
> my combined BE/FE in enforcing mode many many
> many many years ago (and many many many
> configuration changes ago), and things did not go
> well (it was due to my choice of partitioning, and
> the evil use of twisty symlinks, all different). Is
> enforcing mode now considered best practice?
>

You are likely to be eaten by a grub

Kevin

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads