selinux and ASP for Linux

Colin Walters walters at
Thu Mar 3 03:42:32 UTC 2005

On Wed, 2005-03-02 at 17:20 -0600, Jason Dravet wrote:

>So in short to get asp for linux working you have to do the following:
>chcon -R -h -t httpd_sys_content_t /opt/casp/INSTALL/

I'm not sure this is *really* what you want by the way - by default both
httpd_t and httpd_sys_script_t have complete access to it (modulo DAC of

Without knowing more about the program I couldn't say.

>chcon -h -t shlib_t
>chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/
>chcon -h -t shlib_t /opt/casp/server/lib/linux2_i686_optimized/
>Can this be added to the targeted policy in the future?

Well...these regexps exist in types.fc already:

/opt/.*/lib(64)?(/.*)?				system_u:object_r:lib_t
/opt/.*/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t

So I think actually you could have done:

restorecon /opt/casp/module/linux2_i686_optimized/apache_2.0.x/20020903/standard/*.so /opt/casp/server/lib/linux2_i686_optimized/*.so

Note that if the package was installed via RPM this labeling would have
occurred automatically.

But we do have a difficulty with 3rd-party generic plugin installation
and Apache; again Apache is basically unique among the targeted daemons
in this respect.

More information about the fedora-selinux-list mailing list