On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote: > You can't have multiple contexts for a file, so it's not possible AFAIK > to have both the original context *and* public_content_rw_t. Correct. See the "Multiple contexts" thread on the selinux list from Jan 10 2005 for a discussion of why multiple contexts per file is a bad idea. In short, it makes information flow analysis impossible without considering the entire filesystem state. > If your web server is only serving static data (nothing that requires > write access to /var/www for the web server itself), you could > relabel /var/www/* as public_content_t. If you have internal scripting > like PHP that needs write access, you could use public_content_rw_t. > > However, if you're using cgi scripts that currently need > httpd_script_exec_t, you'd need to generate a local policy module that > allowed samba to read/write the httpd_* types. Yes, local policy module seems like the sanest choice. If this is a common situation, I suppose it could be incorporated into the upstream policy under a boolean. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
