On Tue, 17 Mar 2009 15:33:08 +1000 Scott Radvan sradvan@redhat.com wrote:
Hi all,
I have taken ownership of development on the Fedora 11 SELinux (Managing Confined Services) guide, and am currently trying to build on the descriptions of the purposes, uses and implications of enabling/disabling some of the available Booleans.
I am wondering if anybody can expand or has any comments on this description of the httpd_unified Boolean, as there doesn't seem to be a great deal out there about it.
"This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with a http file context. Leaving it off makes sure that one httpd service can not interfere with another."
Specifically I am interested in what is meant by a service that can not "interfere with another" in the case of http_unified, but any comments which may help me refine the description are more than welcome.
I think this means that say httpd_bugzilla_script_t can't access httpd_sys_* files and httpd_sys_script_t can't access httpd_bugzilla_* files etc.
Paul.