init_t translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am new to compiling selinux policy modules. When I sesearch for source domain init_t for httpd_sys_contect_t I get 5 replies:

$sesearch -T -s init_t -t httpd_sys_content_t
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "smarty";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "upgrade";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "uploads";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t "wp-content";
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "settings.php";

If I read this correctly, init_t has access to 4 directories; smarty, upgrade, uploads and  wp-content. One file settings.php

I created a systemd service file running as a timer. The service just executes a script. Selinux denies with these errors;

type=AVC msg=audit(1570329687.437:218): avc:  denied  { execute } for  pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329687.437:219): avc:  denied  { read open } for  pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329687.437:220): avc:  denied  { execute_no_trans } for  pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329687.450:221): avc:  denied  { ioctl } for  pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329691.303:222): avc:  denied  { create } for  pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329691.322:223): avc:  denied  { write } for  pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329691.322:224): avc:  denied  { open } for  pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1570329691.322:225): avc:  denied  { append } for  pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

How can I create a type translation that says; it this correct?

type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t "make_index.sh";
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux