Newbie Q - gitweb policy
Aaron Gray
aaronngray.lists at googlemail.com
Sat Mar 21 02:26:36 UTC 2009
> On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote:
>> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run
>> on
>> Apache. Runs fine in permissive mode not in enforcing.
>>
I had to use 'setenforce 0', remove the grep, and then whittle down the code
a bit.
mkdir gitweb-policy;
cd gitweb-policy;
echo "policy_module(gitweb, 0.0.1)" > gitweb.te
echo "apache_content_template(gitweb)" >> gitweb.te
echo "/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc
make -f /usr/share/selinux/devel/Makefile
semodule -i gitweb.pp
restorecon -R -v /var/www/git/gitweb.cgi
setenforce 0;
Do the http access !
setenforce 1;
ausearch -m avc -ts today | audit2allow -R >> gitweb.te;
make -f /usr/share/selinux/devel/Makefile;
semodule -i gitweb.pp
Whittle the code down a bit to :-
gitweb.te
policy_module(gitweb, 0.0.1)
apache_content_template(gitweb)
require {
type httpd_sys_script_t;
}
#============= httpd_sys_script_t ==============
files_list_default(httpd_sys_script_t)
files_read_default_files(httpd_sys_script_t)
gitweb.fc
/var/www/git/gitweb.cgi --
gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)
More information about the fedora-selinux-list
mailing list