-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/03/2013 11:21 AM, Dominick Grift wrote:
> On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
>
>> Encountered problems : Already discussed : httpd_log_t is not enough to
>> httpd to create new log files -> to be replaced with
>> httpd_sys_rw_content_t New files (for example logs) are not correctly
>> labeled (they are labeled like the folder)
>>
>
> This:
>
>> [root@d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t Found 7
>> semantic av rules: allow httpd_sys_ra_content_t httpd_sys_ra_content_t :
>> filesystem associate ; allow httpd_sys_script_t httpd_sys_ra_content_t :
>> file { ioctl read create getattr lock append open } ; allow
>> httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write
>> getattr lock add_name search open } ; allow httpd_sys_script_t
>> httpd_sys_ra_content_t : lnk_file { read getattr } ; ET allow httpd_t
>> httpd_sys_ra_content_t : file { ioctl read create getattr lock append
>> open } ; [ httpd_builtin_scripting ] ET allow httpd_t
>> httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search
>> open } ; [ httpd_builtin_scripting ] ET allow httpd_t
>> httpd_sys_ra_content_t : lnk_file { read getattr } ; [
>> httpd_builtin_scripting ]
>>
>
> ..Tells me that , at least on my system, both httpd_t, as well as
> httpd_sys_script_t type processes are allowed to create new log files
> (files with type httpd_sys_ra_content_t) in directories with type
> httpd_sys_ra_content_t
>
> So instead of using httpd_log_t (which i would not use for any logs other
> than /var/log/httpd in the first place) use httpd_sys_ra_content_t This is
> the type for readable/appendable (and creatable but not writable) files by
> httpd_t, and httpd_sys_script_t
>
> This:
>
>> semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
>>
>
> .. Is wrong. Use this instead:
>
>> semanage fcontext -a -t httpd_sys_ra_content_t
>> '/WEBS/[^/]+/[^/]+/logs(/.*)?'
>
> Then restorecon -R -v -F /WEBS/*/logs
>
>
>
>
I am not sure I would label lost+found directory differently. Since this is
still httpd_sys_content_t.
The only reason to label content httpd_log_t versus httpd_sys_ra_content_t is
if the log files need to be used by log applications like logrotate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKfPjcACgkQrlYvE4MpobMkUwCaA/gqqpBvALHlTzqHYbSViWzk
obwAoIWUyR6iTBNG5SpMS6q5y6uGt0x1
=VfV5
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
