Colin Walters wrote:
> On Sun, 2004-11-21 at 18:11 -0500, Yuichi Nakamura wrote:
> > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > > >audit(1100636258.341:0): avc: denied { write } for pid=21318
> > > >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309
> > > >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> > > Policy has been updated to allow this. Please update to
> > > selinux-policy-targeted-1.17.30-2.26 or greater.
> >
> > I looked selinux-policy-strict|targeted-sources-1.19.4-1,
> > and found following statements.
> > if (httpd_enable_cgi && httpd_unified ) {
> > ...
> > allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
> > ..
> > }
> >
> > I think it is allowing too much.
> You think the boolean should not exist? Or just think it should grant
> fewer permissions?
I think it should grant fewer permissions.
Why httpd_t should write all contents in httpd_unified ?
In my understanding, "httpd_unified" means unifying domain transition's entry points of CGI.
So, I feel that allowing httpd_t write permission to all contents is out of scope of httpd_unified.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
