SELinux/httpd integration
Yuichi Nakamura
himainu-ynakam at miomio.jp
Sun Nov 21 23:11:15 UTC 2004
Daniel J Walsh <dwalsh at redhat.com> wrote:
> >audit(1100636258.341:0): avc: denied { write } for pid=21318
> >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309
> >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> Policy has been updated to allow this. Please update to
> selinux-policy-targeted-1.17.30-2.26 or greater.
I looked selinux-policy-strict|targeted-sources-1.19.4-1,
and found following statements.
if (httpd_enable_cgi && httpd_unified ) {
...
allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
..
}
I think it is allowing too much.
It will be hard for users to guess "httpd_unified" means "allowing httpd fullaccess to all contents".
Separete boolean like "httpd_content_writable" should be prepared.
# I am not sure the name is good..
And I think, like "httpd_sys_script_rw_t",
"httpd_rw_t" would be useful in using PHP(such as wiki,xoops).
Users can allow write permission only by modifying types.
Please look at attached diffs.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache_macros.te.diff
Type: application/octet-stream
Size: 820 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041121/f5bd5e89/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache.te.diff
Type: application/octet-stream
Size: 599 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041121/f5bd5e89/attachment-0001.obj>
More information about the fedora-selinux-list
mailing list