Re: total newbie audit2allow question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/17/2013 03:53 AM, Richard Greenwood wrote:
> I have a CGI application named "mapserv" that needs to write to a
> specific location: "/rwg/mapserver/tmp". I ran audit2allow which
> produced the test.te file file below. I ran "semodule -i test.pp" and my
> CGI application is now happy, and so you would think that I should be
> happy also. But I am confused/concerned because I do not see "mapserv"
> nor do I see "/rwg/mapserver/tmp" in the te file. So my uninformed
> interpretation of the te file below is that I have just granted all
> httpd scripts permission to write to any directory. I did a quick test
> and this is thankfully /NOT/ the case, but how does selinx know that I
> am granting only the "mapserv" application write permissions to only the
> "/rwg/mapserver/tmp" directory? I feel like there is a big piece that I
> am completely missing.
> 
> Thanks for your patience with a newbie.
> Rich
> 
> 
> module test 1.0;
> 
> require {
>         type httpd_sys_content_t;
>         type httpd_sys_script_t;
>         class dir add_name;
>         class file { write create };
> }
> 
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
> allow httpd_sys_script_t httpd_sys_content_t:file { write create };
> 
> 
> -- 
> Richard Greenwood
> richard.greenwood@xxxxxxxxx <mailto:richard.greenwood@xxxxxxxxx>
> www.greenwoodmap.com <http://www.greenwoodmap.com>
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Hello Richard,

The new rules that you have put in, gives access rights to processes
having the 'httpd_sys_script_t' SELinux type (domain) on directories and
files having the 'httpd_sys_content_t' SELinux type. So strictly
speaking, this is not just for the "mapserv" application that you have,
but for all httpd CGI scripts in general, on all 'web-content'
directories. However, this is fine, and is the usual way that SELinux is
used, as long as you have control over what CGI scripts are deployed on
the system, and that only specific directories have the 'web-content'
SELinux type.

If you desire to have the rules allowed only for a specific process on
specific directories and files, you have to define special SELinux types
for the CGI scripts, process, directories and files, rules for the
process to transition to the expected type (domain), and rules for the
types to be persistent on the directories and files, and finally access
rules using those special SELinux types.

-- 
Cheers!

Rejy M Cyriac (rmc)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux