On Wed, 2013-04-17 at 09:12 -0600, Richard Greenwood wrote: > > Rejy, Dominick and Daniel, > > > Thank you for the detail explanations and blog post. I'm not really > having a problem with my CGI app, nor am I trying to create a custom > type. I'm just trying to get a better understanding of SELinux > generally, and specifically what policies audit2allow is creating. > Your answers have gotten me a little closer. > In a sense you do have a problem with your cgi app. You were "breaking" the policy by changing the meaning of the httpd_sys_content_t type. The httpd_sys_content_t type is meant to be read-only to httpd process types. You used audit2allow to implement rules that allow the httpd_sys_script_t process type to create and write httpd_sys_content_t files. If you would be able to figure out that httpd_sys_content_rw_t is a more suitable type for your cgi app writable content then there would be less of a problem. There are ways to do this. By using the seinfo, sesearch and semanage tools one can figure out the "meaning" or properties of a given type. That will allow one to make better decisions with regard to choosing the best type for any given job. This is not something audit2allow can do for you. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
