Which permission to execute a script?

Bruno Wolff III bruno at wolff.to
Tue Nov 18 05:22:42 UTC 2008


On Mon, Nov 17, 2008 at 19:07:40 -0600,
  Bruno Wolff III <bruno at wolff.to> wrote:
> On Mon, Nov 17, 2008 at 17:07:42 -0600,
>   Bruno Wolff III <bruno at wolff.to> wrote:
> > 
> > There doesn't seem to be a http_user_script_exec_t type. Probably it's a
> > typo, but I didn't see a way to get a full list and didn't manage to
> > guess the correct name.
> 
> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
> 
> The guest policy (at least my modified version) does not allow access to
> files labelled httpd_user_script_exec_t.
> 
> I'll keep putzing with this.

I have it working now. In the end I needed to give both execute and
execute_no_trans permission for tom_t running httpd_sys_script_exec_t.

The allow_xguest_exec_content and allow_guest_exec_content booleans
didn't seem to make a difference.

Going forward I might want to spend the time to dial this policy back
as I am executing the scripts with those types as an unconfined user
(or perhaps I should use the user_u role) and I'd like to prevent tom_t
from changing them (or replacing the files) with selinux.

I was having trouble finding what the manage_files_pattern and
manage_dirs_pattern macros expand to and exactly what functions some
of the permissions allow. Is there any good documentation of these things
online?




More information about the fedora-selinux-list mailing list