David Hampton wrote:
I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
domains/misc/local.te file so I removed it. After I did this I started
getting avc errors for all web access to my server. Audit2allow says I
need:
allow httpd_t httpd_sys_content_t:dir { getattr search };
allow httpd_t httpd_sys_content_t:file { getattr read };
Poking through the policy sources, it appears that httpd_t no longer has
permission to read files with the httpdcontent attribute. Grep shows
only this one place where httpd_t gets permission to read the content...
./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)
...but this line is protected by what looks like a four way conditional
and doesn't appear to have any effect. Would it make sense to add
unconditional read access to httpd before checking/allowing write and
execute access on the files?
My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
policy.
David
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Do you have httpd_unified && httpd_enable_cgi && httpd_builtin_scripting
turned on?
getsebool -a | grep httpd
setsebool -P httpd_enable_cgi=1 httpd_unified=1 httpd_builtin_scripting=1
Will turn it on.
--