Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >audit(1100636258.341:0): avc: denied { write } for pid=21318
> >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309
> >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> Policy has been updated to allow this. Please update to
> selinux-policy-targeted-1.17.30-2.26 or greater.
I looked selinux-policy-strict|targeted-sources-1.19.4-1,
and found following statements.
if (httpd_enable_cgi && httpd_unified ) {
...
allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
..
}
I think it is allowing too much.
It will be hard for users to guess "httpd_unified" means "allowing httpd fullaccess to all contents".
Separete boolean like "httpd_content_writable" should be prepared.
# I am not sure the name is good..
And I think, like "httpd_sys_script_rw_t",
"httpd_rw_t" would be useful in using PHP(such as wiki,xoops).
Users can allow write permission only by modifying types.
Please look at attached diffs.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
Attachment:
apache_macros.te.diff
Description: Binary data
Attachment:
apache.te.diff
Description: Binary data
