On Mon, Nov 22, 2004 at 05:59:10PM -0500, Colin Walters wrote: > On Mon, 2004-11-22 at 17:30 -0500, Yuichi Nakamura wrote: > > > I think it should grant fewer permissions. > > Why httpd_t should write all contents in httpd_unified ? > > Ah, I see what you're saying now. Right. Dan added that recently for > PHP scripts, I believe. > > > So, I feel that allowing httpd_t write permission to all contents is out of scope of httpd_unified. > > I agree now. Conceptually they are separate things. A new boolean like > httpd_content_writable sounds good to me. Sorry about misunderstanding > you originally. But this is boolean is going to be on by default? I'm going to add this text to /etc/httpd/conf.d/subversion.conf since it (currently :) works out-of-the-box: is the terminology "labelled with a context" correct? # # Example configuration to enable HTTP access for a directory # containing Subversion repositories, "/var/www/svn". Each repository # must be readable and writable by the 'apache' user. Note that if # SELinux is enabled, the repositories must be labelled with a context # which httpd can write to; this will happen by default for # directories created in /var/www. #
