On 03/31/2009 06:30 AM, Dominick Grift wrote:
On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote:
I am going to use this thread to just share any thoughts i have with regards to this
o allow_httpd_anon_write
This Boolean is off by default, allowing httpd only read access to
files labeled with the public_content_rw_t type. Enabling this Boolean
will allow httpd to write to files labeled with the public_content_rw_t
type, such as a public directory containing files for a public file
transfer service.
o allow_httpd_mod_auth_ntlm_winbind
This Boolean is off by default. Enabling it will allow access to NTLM
and Winbind authentication mechanisms via the mod_auth_ntlm_winbind
module in httpd.
o allow_httpd_mod_auth_pam
This Boolean is off by default. Enabling it will allow access to PAM
authentication mechanisms via the mod_auth_pam module in httpd.
o allow_httpd_sys_script_anon_write
This Boolean is off by default. It defines whether or not HTTP scripts
are allowed write access to files labeled with the public_content_rw_t
type, as used in a public file transfer service.
o httpd_builtin_scripting
This Boolean is on by default, allowing httpd scripting. Having this
Boolean enabled is often required for PHP content.
It allows:
1. httpd_t to manage templated httpd rw content,
2. httpd_t to read templated httpd ra content,
3. httpd_t to read templated httpd content,
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
')
I think this is a bug in policy or atleast that this boolean is too
coarse
with this boolean set to false: httpd_t cannot read
httpd_user_content_t. Basically what it means is that you cannot use
httpd userdirs (httpd_enable_userdirs) without scripting enabled.
In Fedora policy I have removed the booleans from the templated
interfaces, So these booleans only effect httpd_sys_*. If you use the
templates you need to either allow the access or add your own booleans.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
