On Mon, Nov 17, 2008 at 19:07:40 -0600, Bruno Wolff III <bruno@xxxxxxxx> wrote: > On Mon, Nov 17, 2008 at 17:07:42 -0600, > Bruno Wolff III <bruno@xxxxxxxx> wrote: > > > > There doesn't seem to be a http_user_script_exec_t type. Probably it's a > > typo, but I didn't see a way to get a full list and didn't manage to > > guess the correct name. > > Yep, typo. For the archive, 'seinfo -t' provides a list of types. > > The guest policy (at least my modified version) does not allow access to > files labelled httpd_user_script_exec_t. > > I'll keep putzing with this. I have it working now. In the end I needed to give both execute and execute_no_trans permission for tom_t running httpd_sys_script_exec_t. The allow_xguest_exec_content and allow_guest_exec_content booleans didn't seem to make a difference. Going forward I might want to spend the time to dial this policy back as I am executing the scripts with those types as an unconfined user (or perhaps I should use the user_u role) and I'd like to prevent tom_t from changing them (or replacing the files) with selinux. I was having trouble finding what the manage_files_pattern and manage_dirs_pattern macros expand to and exactly what functions some of the permissions allow. Is there any good documentation of these things online? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
