Re: awstats AVC denial

[Vadym Chepkov <chepkov yahoo com>]

well, I suppose it's a feature

I did more sasearch and looked what is allowed:

   allow httpd_sys_script_t httpd_sys_script_ra_t : dir { ioctl read write getattr lock add_name search };
   allow httpd_sys_script_t httpd_sys_script_ro_t : dir { read getattr search };
   allow httpd_sys_script_t httpd_sys_script_rw_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir };

so I have to relabel all files from httpd_sys_content_t to httpd_sys_script_ro_t in Redhat? doesn't make much sense to me


Sincerely yours,
  Vadym Chepkov


--- On Sat, 2/7/09, Dominick Grift <domg472 gmail com> wrote:

> From: Dominick Grift <domg472 gmail com>
> Subject: Re: awstats AVC denial
> To: "Vadym Chepkov" <chepkov yahoo com>
> Cc: "Fedora SELinux" <fedora-selinux-list redhat com>
> Date: Saturday, February 7, 2009, 11:07 AM
> On Sat, 2009-02-07 at 08:03 -0800, Vadym Chepkov wrote:
> 
> > Why?
> 
> That confirms that there is not any "tunable"
> policy available and that
> this is a bug in policy.
> 
> > Sincerely yours,
> >   Vadym Chepkov
> >