SELinux/httpd integration

Yuichi Nakamura himainu-ynakam at miomio.jp
Sun Nov 28 20:10:12 UTC 2004 

Karsten Wade  wrote:
> > >httpd_t *cannot* write to anything labelled with httpd_sys_content_t by
> > >default, surely - that's the whole problem?
> I can't find this allow rule in 1.17.30-2.34.  I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail. 
> Before I post a very long message detailing everything I did, can
> someone tell me how httpd_t has gained write allow for
> httpd_sys_content_t?  FWIW, I finally set the boolean in apache.te and
> recompiled policy, but still can't find the write.

It is in macros/program/apache_macros.te.
 I pick up related part in following.
---
   113  if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && !
 (httpd_disable_trans)') {
   114  ifelse($1, sys, `
   115  domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
   116  domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
   117  domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
   118  create_dir_file(httpd_t, httpdcontent)
   119  ', `
   120  create_dir_file(httpd_$1_script_t, httpdcontent)
   121  can_exec(httpd_$1_script_t, httpdcontent )
   122  domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
   123  ')
   124  }
---
Line 118 and line 120 are what you are looking for.

In policy.conf I found 3 rules, too.
type httpd_sys_content_t, file_type, homedirfile, httpdcontent, sysadmfile;
allow httpd_t httpdcontent:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow httpd_t httpdcontent:file { create ioctl read getattr lock write setattr append link unlink rename };

> I can't find this allow rule in 1.17.30-2.34.  I've used apol direct and
> transitive information flow analysis and good ol' grep to no avail. 
 I tried apol now, but I could not find the rule, either.
apol information flow may not support attributes or booleans, but I am not sure.

---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
  http://www.selinux.gr.jp/

More information about the fedora-selinux-list mailing list