cgi script needs to write to a cache location

Chuck Anderson cra at WPI.EDU
Tue Jun 30 20:48:44 UTC 2009

I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs 
to write generated images to a cache in /var/cache/cricket.  I'm using 
these file contexts to get the cgi script and static files working:

/usr/share/[^/]*/www(/.*)?     system_u:object_r:httpd_sys_content_t:s0
/usr/share/[^/]*/html(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0

so grapher.cgi is running as httpd_sys_script_exec_t.  What type 
should I make /var/cache/cricket(/.*)? to allow the cgi to 
read/write/create files in this directory?

I tried making /var/cache/cricket system_u:object_r:httpd_cache_t.  
Here is the output of audit2allow after running this under "setenforce 

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name };
allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr };

Is there a better type in the standard policy than httpd_cache_t that 
will allow httpd_sys_script_exec_t to write/create, or will I need to 
define this policy myself?


More information about the fedora-selinux-list mailing list