On Sun, 2004-11-28 at 12:10, Yuichi Nakamura wrote:
> > I can't find this allow rule in 1.17.30-2.34. I've used apol direct and
> > transitive information flow analysis and good ol' grep to no avail.
> I tried apol now, but I could not find the rule, either.
> apol information flow may not support attributes or booleans, but I am not sure.
This turned out to be a mistake in the way I was using apol.
First, all the necessary Booleans have to be set (I had missed enabling
httpd_enable_cgi). For analyzing policy.conf, the allow rule can be
found using Policy Rules > TE Rules, enabling Include Indirect Matches,
with the Source Type set to httpd_t and Target Type set to
httpd_sys_content_t:
(5597) allow httpd_t httpdcontent : file { create ioctl read getattr
lock write setattr append link unlink rename };
That is right at the top of the list. The (5597) is a link directly to
the line in policy.conf (in another tab).
Doing the same search on the binary policy file will actually expand
httpdcontent into httpd_sys_content_t.
I also could have found it by leaving the Booleans alone and disabling
"Only search for enabled rules". The information flow analysis
(Analysis tab) requires the Booleans to be set, but they also find the
rule.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
