[Freeipa-devel] Writing to /var/cache/ipa/assets/
Adam Young
ayoung at redhat.com
Fri Jun 18 21:28:19 UTC 2010
On 06/18/2010 04:51 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> Pavel's current code base tries to write to /var/cache/ipa/assets/
>> from within httpd, which is forbidden by SELinux. I suspect the code
>> in the mainline might be doing this as well. The work around is:
>>
>> chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets
>> semanage fcontext -a -t httpd_sys_content_rw_t 'assets'
>>
>> If we are going to do this kind of code generation, we might want to
>> do it at install time, or as part of something like
>> /etc/init.d/ipa-server start
>>
>
> I'd think this rule would cover it in ipa_httpd.fc:
>
> /var/cache/ipa/assets(/.*)?
> gen_context(system_u:object_r:httpd_sys_content_t,s0)
>
> rob
Before I open a bug I want to review with Pavel. I wasn't seeing this
before I merged in his changes, and it wasn't for code in the main git
repo, so no bug yet.
More information about the Freeipa-devel
mailing list