cgi script needs to write to a cache location
Chuck Anderson
cra at WPI.EDU
Tue Jun 30 20:48:44 UTC 2009
I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs
to write generated images to a cache in /var/cache/cricket. I'm using
these file contexts to get the cgi script and static files working:
/usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/usr/share/[^/]*/html(/.*)? system_u:object_r:httpd_sys_content_t:s0
/usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
so grapher.cgi is running as httpd_sys_script_exec_t. What type
should I make /var/cache/cricket(/.*)? to allow the cgi to
read/write/create files in this directory?
I tried making /var/cache/cricket system_u:object_r:httpd_cache_t.
Here is the output of audit2allow after running this under "setenforce
0":
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name };
allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr };
Is there a better type in the standard policy than httpd_cache_t that
will allow httpd_sys_script_exec_t to write/create, or will I need to
define this policy myself?
Thanks.
More information about the fedora-selinux-list
mailing list