I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
domains/misc/local.te file so I removed it. After I did this I started
getting avc errors for all web access to my server. Audit2allow says I
need:
allow httpd_t httpd_sys_content_t:dir { getattr search };
allow httpd_t httpd_sys_content_t:file { getattr read };
Poking through the policy sources, it appears that httpd_t no longer has
permission to read files with the httpdcontent attribute. Grep shows
only this one place where httpd_t gets permission to read the content...
./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)
...but this line is protected by what looks like a four way conditional
and doesn't appear to have any effect. Would it make sense to add
unconditional read access to httpd before checking/allowing write and
execute access on the files?
My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
policy.
David
