[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another Apache problem



David Hampton wrote:

On Mon, 2005-04-04 at 17:01 -0400, Daniel J Walsh wrote:



r_dir_file(httpd_t, http_$1_content_t) was locked in this boolean.

I have moved it outside and once you update to tomorrows policy, you should
be able to turn off all booleans and still serve pages.



Should there also be an "r_dir_file(httpd_t, httpdcontent)" statement in the same place? (Or in its place, since http_$1_content_t is marked with the httpdcontent attribute). Or am I misunderstanding the reason behind the httpdcontent attribute? The comment with this attribute is pretty sparse.

The question comes up because in one of the policies I submitted, I had

type yam_content_t, file_type, sysadmfile, httpdcontent;

Should this be sufficient to allow httpd to serve the files, or do I
need to explicitly add


r_dir_file(httpd_t, yam_content_t)

I have the equivalent of this line at the moment, but would like to
remove it if its redundant (or should be redundant).

Thanks.


httpdcontent is used to by the httpd_unified domain. Which says treat all httpdcontent the same.
So that would only be used within that boolean. So if you want to turn off all booleans for httpd(Most secure)
You would have to add


r_dir_file(httpd_t, yam_content_t)

If you want to run with httpd_unified you don't need to.

httpd_unified on a machine without httpd scripts would not make much difference.

Dan


David


--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]