making a user create files as "user_u:system_r:httpd_t"
Paul Howarth
paul at city-fan.org
Thu Feb 1 07:41:09 UTC 2007
On Thu, 2007-02-01 at 01:57 +0000, Hugo Martin Campos V. wrote:
> Hello list,
>
> I am analyzing a HTTPd server working with SELinux in permissive mode
> before I enforce it. The problem I've seen so far begins when
> the .html .php files get uploaded by the person in charge and they are
> labeled as "system_u:object_r:default_t" and the label needs to be
> "user_u:system_r:httpd_t"
>
> The resulting error:
> avc: denied { getattr } for pid=8244 comm="httpd" name="/" dev=hda5
> ino=2 scontext=user_u:system_r:httpd_t
> tcontext=system_u:object_r:default_t tclass=dir
>
> I added that folder to be labeled as "user_u:system_r:httpd_t" in
> "/etc/selinux/targeted/src/policy/file_contexts/file_contexts" to
> relabel it with "fixfiles restore" (and it works) but it's not
> practical to relabel everything everytime that user uploads a webpage.
>
> What should I do?? My knowledge goes as far as labeling, do I need to
> set roles? or should I follow audit2allow advice for now. It would
> just be cool to autolabel every file uploaded by that user as
> "user_u:system_r:httpd_t"
How is the person uploading the files and where in the directory
hierarchy are they uploading them to?
Paul.
More information about the fedora-selinux-list
mailing list