[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Which permission to execute a script?
- From: Bruno Wolff III <bruno wolff to>
- To: Daniel J Walsh <dwalsh redhat com>
- Cc: fedora-selinux-list redhat com
- Subject: Re: Which permission to execute a script?
- Date: Mon, 17 Nov 2008 23:22:42 -0600
On Mon, Nov 17, 2008 at 19:07:40 -0600,
Bruno Wolff III <bruno wolff to> wrote:
> On Mon, Nov 17, 2008 at 17:07:42 -0600,
> Bruno Wolff III <bruno wolff to> wrote:
> >
> > There doesn't seem to be a http_user_script_exec_t type. Probably it's a
> > typo, but I didn't see a way to get a full list and didn't manage to
> > guess the correct name.
>
> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
>
> The guest policy (at least my modified version) does not allow access to
> files labelled httpd_user_script_exec_t.
>
> I'll keep putzing with this.
I have it working now. In the end I needed to give both execute and
execute_no_trans permission for tom_t running httpd_sys_script_exec_t.
The allow_xguest_exec_content and allow_guest_exec_content booleans
didn't seem to make a difference.
Going forward I might want to spend the time to dial this policy back
as I am executing the scripts with those types as an unconfined user
(or perhaps I should use the user_u role) and I'd like to prevent tom_t
from changing them (or replacing the files) with selinux.
I was having trouble finding what the manage_files_pattern and
manage_dirs_pattern macros expand to and exactly what functions some
of the permissions allow. Is there any good documentation of these things
online?
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]