Op donderdag 05-02-2009 om 21:25 uur [tijdzone +0000], schreef Arthur
Dent:
> Thanks - I am still a little unclear as to how best to proceed. My local
> policy allows it all to work - should I just stick with that or work at
> fixing the underlying problem?
>
> Mark
Well your solution works but it allows squid to escalate to generic var
objects. This means that squid can write to all objects with type var_t.
This may not be what you want. RedHat certainly decided not to give
squid this access.
The following may be a better solution:
mkdir ~/mysquid; cd ~/mysquid;
echo "policy_module(mysquid, 0.0.1)" > mysquid.te;
echo "require { type squid_t; }" >> mysquid.te;
echo "type squid_var_t;" >> mysquid.te;
echo "files_type(squid_var_t)" >> mysquid.te;
echo "manage_files_pattern(squid_t, squid_var_t, squid_var_t)" >>
mysquid.te;
echo "files_var_lib_filetrans(squid_t, squid_var_t, file)" >>
mysquid.te;
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t,
s0)" > mysquid.te;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i mysquid.pp
This solution will not allow squid_t to write to objects with var_t, but
instead allow squid_t to manage its objects in /var/squidGuard with a
type that it owns.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
