Which permission to execute a script?
Bruno Wolff III
bruno at wolff.to
Tue Nov 18 05:22:42 UTC 2008
On Mon, Nov 17, 2008 at 19:07:40 -0600,
Bruno Wolff III <bruno at wolff.to> wrote:
> On Mon, Nov 17, 2008 at 17:07:42 -0600,
> Bruno Wolff III <bruno at wolff.to> wrote:
> >
> > There doesn't seem to be a http_user_script_exec_t type. Probably it's a
> > typo, but I didn't see a way to get a full list and didn't manage to
> > guess the correct name.
>
> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
>
> The guest policy (at least my modified version) does not allow access to
> files labelled httpd_user_script_exec_t.
>
> I'll keep putzing with this.
I have it working now. In the end I needed to give both execute and
execute_no_trans permission for tom_t running httpd_sys_script_exec_t.
The allow_xguest_exec_content and allow_guest_exec_content booleans
didn't seem to make a difference.
Going forward I might want to spend the time to dial this policy back
as I am executing the scripts with those types as an unconfined user
(or perhaps I should use the user_u role) and I'd like to prevent tom_t
from changing them (or replacing the files) with selinux.
I was having trouble finding what the manage_files_pattern and
manage_dirs_pattern macros expand to and exactly what functions some
of the permissions allow. Is there any good documentation of these things
online?
More information about the fedora-selinux-list
mailing list