I have a CGI application named "mapserv" that needs to write to a specific location: "/rwg/mapserver/tmp". I ran audit2allow which produced the test.te file file below. I ran "semodule -i test.pp" and my CGI application is now happy, and so you would think that I should be happy also. But I am confused/concerned because I do not see "mapserv" nor do I see "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the te file below is that I have just granted all httpd scripts permission to write to any directory. I did a quick test and this is thankfully NOT the case, but how does selinx know that I am granting only the "mapserv" application write permissions to only the "/rwg/mapserver/tmp" directory? I feel like there is a big piece that I am completely missing.
Thanks for your patience with a newbie.
Rich
module test 1.0;
require {
type httpd_sys_content_t;
type httpd_sys_script_t;
class dir add_name;
class file { write create };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
allow httpd_sys_script_t httpd_sys_content_t:file { write create };
--
Richard Greenwood
richard.greenwood@xxxxxxxxx
www.greenwoodmap.com
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux