-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruno Wolff III wrote: > On Mon, Nov 17, 2008 at 19:07:40 -0600, > Bruno Wolff III <bruno@xxxxxxxx> wrote: >> On Mon, Nov 17, 2008 at 17:07:42 -0600, >> Bruno Wolff III <bruno@xxxxxxxx> wrote: >>> There doesn't seem to be a http_user_script_exec_t type. Probably it's a >>> typo, but I didn't see a way to get a full list and didn't manage to >>> guess the correct name. >> Yep, typo. For the archive, 'seinfo -t' provides a list of types. >> >> The guest policy (at least my modified version) does not allow access to >> files labelled httpd_user_script_exec_t. >> >> I'll keep putzing with this. > > I have it working now. In the end I needed to give both execute and > execute_no_trans permission for tom_t running httpd_sys_script_exec_t. > > The allow_xguest_exec_content and allow_guest_exec_content booleans > didn't seem to make a difference. > > Going forward I might want to spend the time to dial this policy back > as I am executing the scripts with those types as an unconfined user > (or perhaps I should use the user_u role) and I'd like to prevent tom_t > from changing them (or replacing the files) with selinux. > > I was having trouble finding what the manage_files_pattern and > manage_dirs_pattern macros expand to and exactly what functions some > of the permissions allow. Is there any good documentation of these things > online? A couple of things, people have asked for the ability to stop the execution of programs in the homedir. So the least priv app does not have the ability to execute content. Since xguest has the ability to execute perl, sh, python and other interpreters, the value of shutting down execution in the homedir is questionable. This means ~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The blocking of execution does work for all compiled code. The policy is for the boolean allows the execution of user_home_t, but not other labeled file in the homedir, which is a bug. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqywcACgkQrlYvE4MpobNYZQCfYVlEjsxEouyMpe2yJgxnZEOV 7QcAn0Ys5OU0YLQU75I4fFaRFmzK11Ec =GyTO -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list