I was making a modified version of the guest policy that needed to be able
to edit and run some perl scripts that also are visible to the web server.
I used the manage_files macro and allowed execute, but I can't run the
script directly. But I can run it via perl.
For example:
[tomarndt@wolff area]$ ./newcheck.pl
-bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied
[tomarndt@wolff area]$ perl ./newcheck.pl
Ownership counts:
Ownership of games with owners owning less than 10 new games.
newcheck.pl starts with:
#!/usr/bin/perl
This is the modified policy for tom_t:
policy_module(tom,1.0.0)
########################################
#
# Declarations
#
userdom_restricted_user_template(tom)
require {
type httpd_sys_content_t;
type httpd_sys_script_exec_t;
type postgresql_tmp_t;
type postgresql_t;
}
########################################
#
# tom local policy
#
optional_policy(`
qmail_per_role_template(tom,tom_t,tom_r)
')
manage_dirs_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern(tom_t, httpd_sys_script_exec_t, httpd_sys_script_exec_t)
allow tom_t postgresql_tmp_t:sock_file write;
allow tom_t postgresql_t:unix_stream_socket connectto;
allow tom_t httpd_sys_script_exec_t:file execute;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
