On 09/16/2015 10:55 PM, Douglas Brown wrote: > >> On 17 Sep 2015, at 1:44 am, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote: >> >>> On 09/16/2015 08:07 AM, Douglas Brown wrote: >>> Hi all, >>> >>> Is there any reason why the php config files in /etc don’t have their own php_etc_t type in RHEL 6? >>> >>> Thanks, >>> Doug >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> We don't label these general config files. Also /etc is supposed to be >> read-only. If there is a config file which is writable and it is owned >> by a package then we add a specific label. This happens mostly for >> config files which are writeable by a service. > > This makes sense, but when confining users with RBACs, I'd like to provide them with the ability to administer PHP but it would be a bad idea to give them write access to etc_t. > > I've created the type php_etc_t with the etcfile attribute and used the file_type macro, then allowed the service admin domain to manage it. Can you think of anything further required? > > Thanks, > Doug > The questions if it needs to be readable by another domains? If so, you will need to add additional rules for that. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
