Re: total newbie audit2allow question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 03:23 PM, Richard Greenwood wrote:
> I have a CGI application named "mapserv" that needs to write to a specific 
> location: "/rwg/mapserver/tmp". I ran audit2allow which produced the
> test.te file file below. I ran "semodule -i test.pp" and my CGI application
> is now happy, and so you would think that I should be happy also. But I am 
> confused/concerned because I do not see "mapserv" nor do I see 
> "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the
> te file below is that I have just granted all httpd scripts permission to
> write to any directory. I did a quick test and this is thankfully /NOT/ the
> case, but how does selinx know that I am granting only the "mapserv"
> application write permissions to only the "/rwg/mapserver/tmp" directory? I
> feel like there is a big piece that I am completely missing.
> 
> Thanks for your patience with a newbie. Rich
> 
> 
> module test 1.0;
> 
> require { type httpd_sys_content_t; type httpd_sys_script_t; class dir
> add_name; class file { write create }; }
> 
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> httpd_sys_content_t:dir add_name; allow httpd_sys_script_t
> httpd_sys_content_t:file { write create };
> 
> 
> -- Richard Greenwood richard.greenwood@xxxxxxxxx
> <mailto:richard.greenwood@xxxxxxxxx> www.greenwoodmap.com
> <http://www.greenwoodmap.com>
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

I just wrote a blog on this.

http://danwalsh.livejournal.com/63137.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFun9EACgkQrlYvE4MpobMGSQCgz8ln7JFGDZTmwq/ruqR2bQVE
pjwAnjRKFXGT8Dbeo+1V3jWw+lFRn3ks
=B7w0
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux