Re: /etc/php.ini and /etc/php.d labelled as etc_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 17 Sep 2015, at 1:44 am, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
> 
>> On 09/16/2015 08:07 AM, Douglas Brown wrote:
>> Hi all,
>> 
>> Is there any reason why the php config files in /etc don’t have their own php_etc_t type in RHEL 6?
>> 
>> Thanks,
>> Doug
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> We don't label these general config files. Also /etc is supposed to be
> read-only. If there is a config file which is writable and it is owned
> by a package then we add a specific label. This happens mostly for
> config files which are writeable by a service.

This makes sense, but when confining users with RBACs, I'd like to provide them with the ability to administer PHP but it would be a bad idea to give them write access to etc_t.

I've created the type php_etc_t with the etcfile attribute and used the file_type macro, then allowed the service admin domain to manage it. Can you think of anything further required?

Thanks,
Doug
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux