Op donderdag 05-02-2009 om 21:25 uur [tijdzone +0000], schreef Arthur Dent: > Thanks - I am still a little unclear as to how best to proceed. My local > policy allows it all to work - should I just stick with that or work at > fixing the underlying problem? > > Mark Well your solution works but it allows squid to escalate to generic var objects. This means that squid can write to all objects with type var_t. This may not be what you want. RedHat certainly decided not to give squid this access. The following may be a better solution: mkdir ~/mysquid; cd ~/mysquid; echo "policy_module(mysquid, 0.0.1)" > mysquid.te; echo "require { type squid_t; }" >> mysquid.te; echo "type squid_var_t;" >> mysquid.te; echo "files_type(squid_var_t)" >> mysquid.te; echo "manage_files_pattern(squid_t, squid_var_t, squid_var_t)" >> mysquid.te; echo "files_var_lib_filetrans(squid_t, squid_var_t, file)" >> mysquid.te; echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.te; make -f /usr/share/selinux/devel/Makefile sudo semodule -i mysquid.pp This solution will not allow squid_t to write to objects with var_t, but instead allow squid_t to manage its objects in /var/squidGuard with a type that it owns. > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list