SELinux/httpd integration
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 17 15:15:15 UTC 2004
Joe Orton wrote:
>On Tue, Nov 16, 2004 at 03:35:49PM -0500, Daniel J Walsh wrote:
>
>
>>Joe Orton wrote:
>>
>>
>>>httpd_t *cannot* write to anything labelled with httpd_sys_content_t by
>>>default, surely - that's the whole problem?
>>>
>>>When I set up /var/www/svn as above, I get AVC messages like:
>>>
>>>audit(1100636258.341:0): avc: denied { write } for pid=21318
>>>exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309
>>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t
>>>tclass=file
>>>
>>>
>>Policy has been updated to allow this. Please update to
>>selinux-policy-targeted-1.17.30-2.26 or greater.
>>
>>
>
>The same using a fresh Raw Hide install from yesterday,
>selinux-policy-targeted-1.19.1-9:
>
>audit(1100690797.204:0): avc: denied { write } for pid=2388
>exe=/usr/sbin/httpd name=__db.001 dev=md0 ino=1194146
>scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>
>
>
If you label svn file httpd_sys_script_rw_t it should work, but this
does expose a bug in httpd_unified boolean, that I fixed
in selinux-policy-targeted-1.19.1-12 and
selinux-policy-targeted-1.17.30-2.31
>joe
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list