httpd interface question
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 21 19:30:07 UTC 2009
On 07/21/2009 03:24 PM, Daniel J Walsh wrote:
> On 07/18/2009 11:03 PM, Vadym Chepkov wrote:
>> Hi,
>>
>> I have a question about httpd interface on RedHat 5.3
>> selinux-policy-targeted-2.4.6-203.el5
>>
>> I have httpd_unified --> off
>> and I defined domain for subversion:
>>
>> apache_content_template(svn)
>>
>> I labeled my subversion hooks as httpd_svn_script_exec_t
>> and I expected it will be able to read files labeled as httpd_svn_content_t, but it is not the case:
>>
>> type=AVC msg=audit(1247931060.612:40993): avc: denied { read } for pid=21405 comm="svn-mailer" name="svn-mailer.cfg" dev=sda1 ino=773360 scontext=user_u:system_r:httpd_svn_script_t:s0 tcontext=system_u:object_r:httpd_svn_content_t:s0 tclass=file
>>
>> # sesearch -a -s httpd_svn_script_t -t httpd_svn_content_t
>> Found 1 av rules:
>> allow httpd_svn_script_t httpd_svn_content_t : dir { getattr search };
>>
> I would say this is a bug.
>
>
>> The question is, why only this and nothing else?
>>
>> Sincerely yours,
>> Vadym Chepkov
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RHEL5 defined httpd_$1_script_ro_t with it is allowing to read. In Fedora we have merged the two together.
I am updating the RHEL5.4 policy to include
list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
selinux-policy-2.4.6-254.el5.src.rpm
More information about the fedora-selinux-list
mailing list