> On 17 Sep 2015, at 1:44 am, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote: > >> On 09/16/2015 08:07 AM, Douglas Brown wrote: >> Hi all, >> >> Is there any reason why the php config files in /etc don’t have their own php_etc_t type in RHEL 6? >> >> Thanks, >> Doug >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > We don't label these general config files. Also /etc is supposed to be > read-only. If there is a config file which is writable and it is owned > by a package then we add a specific label. This happens mostly for > config files which are writeable by a service. This makes sense, but when confining users with RBACs, I'd like to provide them with the ability to administer PHP but it would be a bad idea to give them write access to etc_t. I've created the type php_etc_t with the etcfile attribute and used the file_type macro, then allowed the service admin domain to manage it. Can you think of anything further required? Thanks, Doug -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux