making a user create files as "user_u:system_r:httpd_t"

Hugo Martin Campos V. hugomartinplug at yahoo.com
Fri Feb 2 03:49:28 UTC 2007 

Stephen Smalley <sds at tycho.nsa.gov> escribió: [ snip ]
> 
> How is the person uploading the files and where in the directory
> hierarchy are they uploading them to?

Note btw that user_u:system_r:httpd_t is a process context, not a
context for files.  You likely want user_u:object_r:httpd_sys_content_t
instead.

By default, files should inherit their type from the parent directory,
so if you were copying files to /var/www/html, it should pick up the
right context automatically.  But if you upload to a different directory
and then move the files into place, the file will inherit the context of
the directory in which it was originally created and mv will seek to
preserve the context.

Thanks Stephen and Paul, 

The person uploads the files in "/home2/web/" as the user "web2"

These errors were generated before your advice (I could only reproduce the 2nd):
avc:  denied  { getattr } for  pid=8244 comm="httpd" name="/" dev=hda5 ino=2 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir
 avc:  denied  { read } for  pid=8247 comm="httpd" name="index.php" dev=hda5 ino=701772 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=file

After your advice I labeled the files in "/etc/selinux/targeted/src/policy/file_contexts/file_contexts" as: 
  ...
  /home2/web(/.*)?          system_u:object_r:httpd_user_content_t
  /home/httpd/html(/.*)?          system_u:object_r:httpd_user_content_t

When I create a file (HM-TestFile-web2) in /home2/web/ as web2 (the web admin) it gets labeled as: 
-rw-r--r--  web2   users    user_u:object_r:httpd_sys_content_t HM-TestFile-web2
drwxr-xr-x  web2   users    system_u:object_r:httpd_user_content_t images
-rw-r--r--  web2   users    system_u:object_r:httpd_user_content_t index.html
...
which is weird because the parent "/home2/web/" has "system_u:object_r:httpd_user_content_t"

I am assuming that labeling as "httpd_user_content_t" is more secure in this case than "httpd_sys_content_t", is that true?

 Anyway, with those labels no denials have appeared on the logs so far. 

Hugo Martin

 		
---------------------------------
 Preguntá. Respondé. Descubrí.
 Todo lo que querías saber, y lo que ni imaginabas,
 está en Yahoo! Respuestas (Beta).
 Probalo ya! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070202/617a35b8/attachment.htm>

More information about the fedora-selinux-list mailing list