[Freeipa-devel] Writing to /var/cache/ipa/assets/
Simo Sorce
ssorce at redhat.com
Fri Jun 18 21:53:02 UTC 2010
On Fri, 18 Jun 2010 17:28:19 -0400
Adam Young <ayoung at redhat.com> wrote:
> On 06/18/2010 04:51 PM, Rob Crittenden wrote:
> > Adam Young wrote:
> >> Pavel's current code base tries to write
> >> to /var/cache/ipa/assets/ from within httpd, which is forbidden
> >> by SELinux. I suspect the code in the mainline might be doing
> >> this as well. The work around is:
> >>
> >> chcon -R -t httpd_sys_content_rw_t /var/cache/ipa/assets
> >> semanage fcontext -a -t httpd_sys_content_rw_t 'assets'
> >>
> >> If we are going to do this kind of code generation, we might want
> >> to do it at install time, or as part of something like
> >> /etc/init.d/ipa-server start
> >>
> >
> > I'd think this rule would cover it in ipa_httpd.fc:
> >
> > /var/cache/ipa/assets(/.*)?
> > gen_context(system_u:object_r:httpd_sys_content_t,s0)
> >
> > rob
> Before I open a bug I want to review with Pavel. I wasn't seeing
> this before I merged in his changes, and it wasn't for code in the
> main git repo, so no bug yet.
As a general rule I don't like that apache gets to write to the file
system, esp if that means changing code that different users use at
the same time. It's a too big risk.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list