Re: SELinux/httpd integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >audit(1100636258.341:0): avc:  denied  { write } for  pid=21318 
> >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309 
> >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> Policy has been updated to allow this.  Please update to 
> selinux-policy-targeted-1.17.30-2.26 or greater.

I looked selinux-policy-strict|targeted-sources-1.19.4-1, 
and found following statements.
if (httpd_enable_cgi && httpd_unified ) {
...
allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
..
}

I think it is allowing too much.
It will be hard for users to guess "httpd_unified" means "allowing httpd  fullaccess to all contents". 

Separete boolean like "httpd_content_writable" should be prepared.
# I am not sure the name is good..

And I think, like "httpd_sys_script_rw_t",
"httpd_rw_t" would be useful in using PHP(such as wiki,xoops). 
Users can allow write permission only by modifying types.

Please look at attached diffs.

---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/

Attachment: apache_macros.te.diff
Description: Binary data

Attachment: apache.te.diff
Description: Binary data


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux