Horde Application Suite and SELinux...
Colin Walters
walters at redhat.com
Tue Feb 22 22:12:20 UTC 2005
On Tue, 2005-02-22 at 14:14 -0700, Tom Lisjac wrote:
>Hi folks!
>
>I've just installed the php based Horde Application Suite
>(http://horde.org) on a Fedora Core 3. Everything is working great
>with the targeted policy and SELinux enabled except for a small
>problem with spell checking in the Imp webmail app.
>
>The spell checker passes the text to aspell using a temporary file in
>/tmp. The targeted policy prohibits "http scripts" from using the /tmp
>directory...
CGI scripts (running as httpd_sys_script_t) shouldn't be prevented from
using /tmp; this macro in macros/apache_macros.te allows it:
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
>so aspell runs but doesn't return any results. If I
>disable SELinux, it works fine... but since this server will be
>running in a hostile environment, I'd rather not. I could also add:
>
>allow httpd_sys_script_t httpd_tmp_t:file { getattr read };
Hmmm. httpd_tmp_t is the type of temporary files generated by the main
webserver, not by CGI scripts. Perhaps what's happening is you have
some PHP code which is using aspell and creating a temporary file in the
main httpd process, and then a CGI script wants to read that later?
Hard to say without knowing more details about how aspell works.
More information about the fedora-selinux-list
mailing list