On Tue, 2013-11-12 at 17:31 -0500, m.roth@xxxxxxxxx wrote: > Ok, gents, > > I see it that creating the type worked, and I see > dbus: avc: received policyload notice (seqno=988) > after I applied the new type... but then I'm still seeing selinux avcs (it > is in permissive mode), such as > setroubleshoot: SELinux is preventing /usr/bin/sudo from search access on > the directory /proc/<pid>/stat. > and > setroubleshoot: SELinux is preventing /usr/bin/sudo from open access on > the file /var/log/sudo.log. > yes selinux still prevent access to sudo. the point is that now the script should run in the httpd_myapp_script_t domain instead of the httpd_sys_script_t domain. Now you can use audit2allow to extend the httpd_myapp_script_t domain This enables you to leave the httpd_sys_script_t domain untouched That was the initial goal > Does apache have to be restarted for it to realize that the selinux file > context has changed? > have a look. the new avc denials should be about httpd_myapp_script_t, and not httpd_sys_script_t generally you do not need to restart apache > mark > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
