CGI permissions for targeted policy
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 5 12:39:24 UTC 2005
Ben wrote:
> Yes exactly; the tmp file is being created by php and then the CGI
> program reads the file.
>
Do you have the ability to change the PHP script to not create in /tmp
but to create some where
under /var/www?
> On Apr 1, 2005, at 10:57 AM, Daniel J Walsh wrote:
>
>> Ben wrote:
>>
>>> I have been having some problems with a CGI program, and audit2allow
>>> shows I should add these permissions:
>>>
>>> allow httpd_sys_script_t devpts_t:chr_file { read write };
>>> allow httpd_sys_script_t httpd_tmp_t:file getattr;
>>> allow httpd_sys_script_t httpd_tmp_t:file read;
>>>
>>> I'm pretty green at SELinux, so I'm not too sure what these allow. I
>>> suspect that the last rule lets httpd_sys_script_t programs read
>>> files of type httpd_tmp_t, and the second rule lets them stat()
>>> those files. What does the first rule mean, exactly? The CGI program
>>> I'm trying to run creates a random filename, and I expect this is
>>> related to that, but there ends my speculation.
>>>
>> The first error is the httpd script trying to access a terminal. The
>> other errors are httpd trying to read the tmp file. Is the tmp file
>> created by a builtin function (php)? And the a cgi script runs to
>> read it?
>>
>> Dan
>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>>
>> --
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
More information about the fedora-selinux-list
mailing list