On Mon, 2005-03-14 at 18:08 +0000, Deim ?goston wrote:
> Ignacio Vazquez-Abrams wrote:
> >On Mon, 2005-03-14 at 11:47 -0500, James B. Byrne wrote:
> >>allow httpd_t var_log_t:file { append read write };
> >>allow mailman_cgi_t file_t:dir search;
> >>Nuh uh. These permissions are WAY too broad. Log this in the CentOS bug
> >>tracker.
> >>
> Yes, you are right. It allows mailman cgis to search all the directories
> with enough permission in the DAC space.
It also allows Apache full unrestricted access to /var/log.
> Hmm. A bug in audit2allow?
No, a limitation. audit2allow can only work with what gets dumped in the
log, so it can't do file context optimization.
--
Ignacio Vazquez-Abrams <ivazquez@xxxxxxxxxxxx>
http://centos.ivazquez.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.caosity.org/pipermail/centos/attachments/20050314/3d31bfd1/attachment.bin
