selinux and ASP for Linux
Colin Walters
walters at redhat.com
Thu Mar 3 03:42:32 UTC 2005
On Wed, 2005-03-02 at 17:20 -0600, Jason Dravet wrote:
>So in short to get asp for linux working you have to do the following:
>
>chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/
I'm not sure this is *really* what you want by the way - by default both
httpd_t and httpd_sys_script_t have complete access to it (modulo DAC of
course).
Without knowing more about the program I couldn't say.
>chcon -h -t shlib_t
>/opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so
>chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libcasp2ap.so
>chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/libaspdisp.so
>
>Can this be added to the targeted policy in the future?
Well...these regexps exist in types.fc already:
/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
So I think actually you could have done:
restorecon /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so /opt/casp/server/lib/linux2_i686_optimized/*.so
Note that if the package was installed via RPM this labeling would have
occurred automatically.
But we do have a difficulty with 3rd-party generic plugin installation
and Apache; again Apache is basically unique among the targeted daemons
in this respect.
More information about the fedora-selinux-list
mailing list