<div dir="ltr"><br><div><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 17, 2013 at 7:12 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div class="im"><br>
On 04/16/2013 03:23 PM, Richard Greenwood wrote:<br>
> I have a CGI application named "mapserv" that needs to write to a specific<br>
> location: "/rwg/mapserver/tmp". I ran audit2allow which produced the<br>
> test.te file file below. I ran "semodule -i test.pp" and my CGI application<br>
> is now happy, and so you would think that I should be happy also. But I am<br>
> confused/concerned because I do not see "mapserv" nor do I see<br>
> "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the<br>
> te file below is that I have just granted all httpd scripts permission to<br>
</div>> write to any directory. I did a quick test and this is thankfully /NOT/ the<br>
<div class="im">> case, but how does selinx know that I am granting only the "mapserv"<br>
> application write permissions to only the "/rwg/mapserver/tmp" directory? I<br>
> feel like there is a big piece that I am completely missing.<br>
><br>
> Thanks for your patience with a newbie. Rich<br>
><br>
><br>
> module test 1.0;<br>
><br>
> require { type httpd_sys_content_t; type httpd_sys_script_t; class dir<br>
> add_name; class file { write create }; }<br>
><br>
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t<br>
> httpd_sys_content_t:dir add_name; allow httpd_sys_script_t<br>
> httpd_sys_content_t:file { write create };<br>
><br>
><br>
> -- Richard Greenwood <a href="mailto:richard.greenwood@gmail.com">richard.greenwood@gmail.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:richard.greenwood@gmail.com">richard.greenwood@gmail.com</a>> <a href="http://www.greenwoodmap.com" target="_blank">www.greenwoodmap.com</a><br>
> <<a href="http://www.greenwoodmap.com" target="_blank">http://www.greenwoodmap.com</a>><br>
><br>
><br>
</div><div class="im">> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
<br>
</div>I just wrote a blog on this.<br>
<br>
<a href="http://danwalsh.livejournal.com/63137.html" target="_blank">http://danwalsh.livejournal.com/63137.html</a><br>
<br></blockquote></div><br><div>Rejy, Dominick and Daniel,<br><br></div>Thank you for the detail explanations and blog post. I'm not really having a problem with my CGI app, nor am I trying to create a custom type. I'm just trying to get a better understanding of SELinux generally, and specifically what policies audit2allow is creating. Your answers have gotten me a little closer.<br>
<br></div><div class="gmail_extra">Thanks,<br>Rich<br clear="all"><br>-- <br>Richard Greenwood<br><a href="mailto:richard.greenwood@gmail.com">richard.greenwood@gmail.com</a><br><a href="http://www.greenwoodmap.com">www.greenwoodmap.com</a>
</div></div></div>