On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
> Encountered problems :
> Already discussed : httpd_log_t is not enough to httpd to create new log files -> to be replaced with httpd_sys_rw_content_t
> New files (for example logs) are not correctly labeled (they are labeled like the folder)
>
This:
> [root@d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t
> Found 7 semantic av rules:
> allow httpd_sys_ra_content_t httpd_sys_ra_content_t : filesystem associate ;
> allow httpd_sys_script_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ;
> allow httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write getattr lock add_name search open } ;
> allow httpd_sys_script_t httpd_sys_ra_content_t : lnk_file { read getattr } ;
> ET allow httpd_t httpd_sys_ra_content_t : file { ioctl read create getattr lock append open } ; [ httpd_builtin_scripting ]
> ET allow httpd_t httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search open } ; [ httpd_builtin_scripting ]
> ET allow httpd_t httpd_sys_ra_content_t : lnk_file { read getattr } ; [ httpd_builtin_scripting ]
>
..Tells me that , at least on my system, both httpd_t, as well as httpd_sys_script_t type processes are allowed to create new log files (files with type httpd_sys_ra_content_t) in directories with type httpd_sys_ra_content_t
So instead of using httpd_log_t (which i would not use for any logs other than /var/log/httpd in the first place) use httpd_sys_ra_content_t
This is the type for readable/appendable (and creatable but not writable) files by httpd_t, and httpd_sys_script_t
This:
> semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
>
.. Is wrong. Use this instead:
> semanage fcontext -a -t httpd_sys_ra_content_t '/WEBS/[^/]+/[^/]+/logs(/.*)?'
Then restorecon -R -v -F /WEBS/*/logs
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
