On 04/17/2013 11:29 AM, Rejy M Cyriac wrote:
> On 04/17/2013 03:53 AM, Richard Greenwood wrote:
>> I have a CGI application named "mapserv" that needs to write to a
>> specific location: "/rwg/mapserver/tmp". I ran audit2allow which
>> produced the test.te file file below. I ran "semodule -i test.pp" and my
>> CGI application is now happy, and so you would think that I should be
>> happy also. But I am confused/concerned because I do not see "mapserv"
>> nor do I see "/rwg/mapserver/tmp" in the te file. So my uninformed
>> interpretation of the te file below is that I have just granted all
>> httpd scripts permission to write to any directory. I did a quick test
>> and this is thankfully /NOT/ the case, but how does selinx know that I
>> am granting only the "mapserv" application write permissions to only the
>> "/rwg/mapserver/tmp" directory? I feel like there is a big piece that I
>> am completely missing.
>>
>> Thanks for your patience with a newbie.
>> Rich
>>
>>
>> module test 1.0;
>>
>> require {
>> type httpd_sys_content_t;
>> type httpd_sys_script_t;
>> class dir add_name;
>> class file { write create };
>> }
>>
>> #============= httpd_sys_script_t ==============
>> allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
>> allow httpd_sys_script_t httpd_sys_content_t:file { write create };
>>
>>
>> --
>> Richard Greenwood
>> richard.greenwood@xxxxxxxxx <mailto:richard.greenwood@xxxxxxxxx>
>> www.greenwoodmap.com <http://www.greenwoodmap.com>
>>
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> Hello Richard,
>
> The new rules that you have put in, gives access rights to processes
> having the 'httpd_sys_script_t' SELinux type (domain) on directories and
> files having the 'httpd_sys_content_t' SELinux type. So strictly
> speaking, this is not just for the "mapserv" application that you have,
> but for all httpd CGI scripts in general, on all 'web-content'
> directories. However, this is fine, and is the usual way that SELinux is
> used, as long as you have control over what CGI scripts are deployed on
> the system, and that only specific directories have the 'web-content'
> SELinux type.
>
> If you desire to have the rules allowed only for a specific process on
> specific directories and files, you have to define special SELinux types
> for the CGI scripts, process, directories and files, rules for the
> process to transition to the expected type (domain), and rules for the
> types to be persistent on the directories and files, and finally access
> rules using those special SELinux types.
>
By 'special' SELinux types mentioned here, I actually meant *'custom'*
SELinux types.
--
Regards,
Rejy M Cyriac (rmc)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
