Another Apache problem

Daniel J Walsh dwalsh at redhat.com
Wed Apr 6 18:31:08 UTC 2005


David Hampton wrote:

>On Mon, 2005-04-04 at 17:01 -0400, Daniel J Walsh wrote:
>
>  
>
>>r_dir_file(httpd_t, http_$1_content_t) was locked in this boolean.
>>
>>I have moved it outside and  once you update to tomorrows policy, you should
>>be able to turn off all booleans and still serve pages.
>>    
>>
>
>Should there also be an "r_dir_file(httpd_t, httpdcontent)" statement in
>the same place?  (Or in its place, since http_$1_content_t is marked
>with the httpdcontent attribute).  Or am I misunderstanding the reason
>behind the httpdcontent attribute?  The comment with this attribute is
>pretty sparse.
>
>The question comes up because in one of the policies I submitted, I had 
>
>	type yam_content_t, file_type, sysadmfile, httpdcontent;
>
>Should this be sufficient to allow httpd to serve the files, or do I
>need to explicitly add 
>
>	r_dir_file(httpd_t, yam_content_t)
>
>I have the equivalent of this line at the moment, but would like to
>remove it if its redundant (or should be redundant).
>
>Thanks.
>  
>
httpdcontent is used to by the httpd_unified domain.  Which says treat 
all httpdcontent the same.
So that would only be used within that boolean.  So if you want to turn 
off all booleans for httpd(Most secure)
You would have to add

	r_dir_file(httpd_t, yam_content_t)

If you want to run with httpd_unified you don't need to.

httpd_unified on a machine without httpd scripts would not make much difference. 

Dan


>David
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


-- 





More information about the fedora-selinux-list mailing list