Re: SELinux/httpd integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2004-11-28 at 08:23 -0800, Karsten Wade wrote:
> On Tue, 2004-11-16 at 12:35, Daniel J Walsh wrote:
> > Joe Orton wrote:
> > 
> > >httpd_t *cannot* write to anything labelled with
> httpd_sys_content_t by
> > >default, surely - that's the whole problem?
> >
> > Policy has been updated to allow this.  Please update to 
> > selinux-policy-targeted-1.17.30-2.26 or greater.
> 
> I can't find this allow rule in 1.17.30-2.34.  I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail. 
> Before I post a very long message detailing everything I did, can
> someone tell me how httpd_t has gained write allow for
> httpd_sys_content_t?  FWIW, I finally set the boolean in apache.te and
> recompiled policy, but still can't find the write.

It's this section:

if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
ifelse($1, sys, `
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
', `
can_exec(httpd_$1_script_t, httpdcontent )
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
')
create_dir_file(httpd_$1_script_t, httpdcontent)
}


Specifically: 
create_dir_file(httpd_, httpdcontent)

httpdcontent is an attribute that all of the various httpd types such as
httpd_sys_content_t has.



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux