On Sun, 2004-11-28 at 08:23 -0800, Karsten Wade wrote:
> On Tue, 2004-11-16 at 12:35, Daniel J Walsh wrote:
> > Joe Orton wrote:
> >
> > >httpd_t *cannot* write to anything labelled with
> httpd_sys_content_t by
> > >default, surely - that's the whole problem?
> >
> > Policy has been updated to allow this. Please update to
> > selinux-policy-targeted-1.17.30-2.26 or greater.
>
> I can't find this allow rule in 1.17.30-2.34. I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail.
> Before I post a very long message detailing everything I did, can
> someone tell me how httpd_t has gained write allow for
> httpd_sys_content_t? FWIW, I finally set the boolean in apache.te and
> recompiled policy, but still can't find the write.
It's this section:
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
ifelse($1, sys, `
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
', `
can_exec(httpd_$1_script_t, httpdcontent )
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
')
create_dir_file(httpd_$1_script_t, httpdcontent)
}
Specifically:
create_dir_file(httpd_, httpdcontent)
httpdcontent is an attribute that all of the various httpd types such as
httpd_sys_content_t has.
