Karsten Wade wrote:
> > >httpd_t *cannot* write to anything labelled with httpd_sys_content_t by
> > >default, surely - that's the whole problem?
> I can't find this allow rule in 1.17.30-2.34. I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail.
> Before I post a very long message detailing everything I did, can
> someone tell me how httpd_t has gained write allow for
> httpd_sys_content_t? FWIW, I finally set the boolean in apache.te and
> recompiled policy, but still can't find the write.
It is in macros/program/apache_macros.te.
I pick up related part in following.
---
113 if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && !
(httpd_disable_trans)') {
114 ifelse($1, sys, `
115 domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
116 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
117 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
118 create_dir_file(httpd_t, httpdcontent)
119 ', `
120 create_dir_file(httpd_$1_script_t, httpdcontent)
121 can_exec(httpd_$1_script_t, httpdcontent )
122 domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
123 ')
124 }
---
Line 118 and line 120 are what you are looking for.
In policy.conf I found 3 rules, too.
type httpd_sys_content_t, file_type, homedirfile, httpdcontent, sysadmfile;
allow httpd_t httpdcontent:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
> I can't find this allow rule in 1.17.30-2.34. I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail.
I tried apol now, but I could not find the rule, either.
apol information flow may not support attributes or booleans, but I am not sure.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
