Hello, let's say I have a www service that's run through apache/selinux+ with its own domain say foo_t. The domain has write access to some files with type foo_data_t (which is files_type) through an allow rule. Now, due to the 'typebound httpd_t foo_t' rule used with apache domains, I would normally also have to 'allow httpd_t foo_data_t : file ...'. But today I saw another solution at work, which used an oddball rule where the foo_data_t was type bounded by another files_type, something like 'typebound http_user_data_t foo_data_t' (don't remember the bounding type's name exactly). This would make the www service work the expected way without the need for 'allow httpd_t foo_data_t : file ...'. Is this a known behavior? What is the sense in typebounding file types? Just for completeness this was on FC12 with targeted policy. Michal Svoboda
Attachment:
pgpYlzV62a4JV.pgp
Description: PGP signature
