On 10/19/2010 01:58 PM, Vadym Chepkov wrote: > On Oct 19, 2010, at 3:17 AM, Miroslav Grepl wrote: > >> On 10/18/2010 04:46 PM, Vadym Chepkov wrote: >>> Hi, >>> >>> I have an issue I would like to fix properly. >>> >>> I have a policy for mediawiki defined this way: >>> >>> apache_content_template(mediawiki) >>> apache_search_sys_content(httpd_mediawiki_script_t) >>> >>> /var/www/mediawiki/bin(/.*)? >>> gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) >>> /var/www/mediawiki/images(/.*)? >>> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0) >>> /var/www/mediawiki/cache(/.*)? >>> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0) >> Vadym, >> we shipped the mediawiki policy in Fedora 13+. Any chance you have some of these Fedora release? >> > This package is usually very behind. mediawiki 1.15.5 and 1.16.0 were released back in July and they are security releases no less, > but Fedora still has 1.15.4 > Anyway, I always install directly from mediawiki subversion tag. > I don't need multi-site feature and other then that I don't see any other patches that would prevent the problem I have. > I tried to check what selinux policy does Fedora provide and I found just one line in selinux-policy-3.7.19-62.fc13.src.rpm : The mediawiki policy was added to selinux-policy-3.7.19-65.fc13 policy which should be available from the stable repo now. So you can update your policy and try to test the mediawiki policy which we shipped and you can help us to improve this policy. Miroslav > /var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) > > And I can assure you it's not enough. > I suspect whoever uses mediawiki on Fedora either just turns SELinux off or has httpd_unified on. > > Vadym > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
