SELinux/httpd integration

Colin Walters walters at redhat.com
Sun Nov 28 18:35:52 UTC 2004


On Sun, 2004-11-28 at 08:23 -0800, Karsten Wade wrote:
> On Tue, 2004-11-16 at 12:35, Daniel J Walsh wrote:
> > Joe Orton wrote:
> > 
> > >httpd_t *cannot* write to anything labelled with
> httpd_sys_content_t by
> > >default, surely - that's the whole problem?
> >
> > Policy has been updated to allow this.  Please update to 
> > selinux-policy-targeted-1.17.30-2.26 or greater.
> 
> I can't find this allow rule in 1.17.30-2.34.  I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail. 
> Before I post a very long message detailing everything I did, can
> someone tell me how httpd_t has gained write allow for
> httpd_sys_content_t?  FWIW, I finally set the boolean in apache.te and
> recompiled policy, but still can't find the write.

It's this section:

if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
ifelse($1, sys, `
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
', `
can_exec(httpd_$1_script_t, httpdcontent )
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
')
create_dir_file(httpd_$1_script_t, httpdcontent)
}


Specifically: 
create_dir_file(httpd_, httpdcontent)

httpdcontent is an attribute that all of the various httpd types such as
httpd_sys_content_t has.





More information about the fedora-selinux-list mailing list