SELinux/httpd integration

Yuichi Nakamura himainu-ynakam at miomio.jp
Mon Nov 22 22:30:58 UTC 2004


Colin Walters  wrote:
> On Sun, 2004-11-21 at 18:11 -0500, Yuichi Nakamura wrote:
> > Daniel J Walsh <dwalsh at redhat.com> wrote:
> > > >audit(1100636258.341:0): avc:  denied  { write } for  pid=21318 
> > > >exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309 
> > > >scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
> > > Policy has been updated to allow this.  Please update to 
> > > selinux-policy-targeted-1.17.30-2.26 or greater.
> > 
> > I looked selinux-policy-strict|targeted-sources-1.19.4-1, 
> > and found following statements.
> > if (httpd_enable_cgi && httpd_unified ) {
> > ...
> > allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };
> > ..
> > }
> > 
> > I think it is allowing too much.
> You think the boolean should not exist?  Or just think it should grant
> fewer permissions?

I think it should grant fewer permissions. 
Why httpd_t should write all contents in httpd_unified ?

In my understanding, "httpd_unified" means unifying domain transition's entry points of CGI.
So, I feel that allowing httpd_t write permission to all contents is out of scope of httpd_unified.


---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
  http://www.selinux.gr.jp/




More information about the fedora-selinux-list mailing list