Ingemar Nilsson wrote:
> Hi.
>
> Yesterday I set up a small PHP web service on one of our CentOS 5
> servers. It uses Smarty for templating, with the dynamically compiled
> templates being stored in a directory with SELinux context
> root:object_r:httpd_sys_content_t. The system runs with SELinux in
> enforcing mode, with httpd using the context root:system_u:httpd_t.
>
> For the fun of it, I looked through the SELinux policy allow rules, but
> I couldn't find a rule that says that processes in the httpd_t domain
> can write to files labeled httpd_sys_content_t, but it does anyway.
>
> I got the (supposedly) complete list of active policy rules using the
> command
>
> sesearch -a
>
> Running the command
>
> sesearch -a | grep 'httpd_t ' | grep httpd_sys_content_t
>
> produces the following list:
>
> allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
> allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
> allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr
> lock };
> allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
> allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
> allow httpd_t httpd_sys_content_t : lnk_file { read getattr };
> type_transition httpd_t httpd_sys_content_t : process
> httpd_sys_script_t;
>
> I don't see any rule that allows httpd_t processes to write to
> httpd_sys_content_t directories. What is going on?
>
> Regards
> Ingemar
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
sesearch does not give you attributes.
Could be a line like the following
allow @ttr1154 @ttr0504 : file { ioctl read write create getattr
setattr lock append unlink link rename open };
What is the context of the files that get created?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
