On Tue, 2009-06-30 at 16:48 -0400, Chuck Anderson wrote:
> I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs
> to write generated images to a cache in /var/cache/cricket. I'm using
> these file contexts to get the cgi script and static files working:
>
> /usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /usr/share/[^/]*/html(/.*)? system_u:object_r:httpd_sys_content_t:s0
> /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
>
> so grapher.cgi is running as httpd_sys_script_exec_t. What type
> should I make /var/cache/cricket(/.*)? to allow the cgi to
> read/write/create files in this directory?
>
> I tried making /var/cache/cricket system_u:object_r:httpd_cache_t.
> Here is the output of audit2allow after running this under "setenforce
> 0":
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name };
> allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr };
>
> Is there a better type in the standard policy than httpd_cache_t that
> will allow httpd_sys_script_exec_t to write/create, or will I need to
> define this policy myself?
>
> Thanks.
semanage fcontext -a -t httpd_sys_content_rw_t
"/var/cache/cricket(/.*)?"
restorecon -R -v /var/cache/cricket
Should work i believe
man httpd_selinux
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
