On Tue, Oct 4, 2011 at 7:00 AM, Vadym Chepkov <vchepkov(a)gmail.com> wrote:
[ ... ]
I think it's one of those cases where if a person asks how to
shoot
himself, he shouldn't be provided any recipes :)
The httpd_tmp_t does not provide any security advantage here, it is fully
accessible by the Web server, just not accessible by other tools that we use
in our development process (in particular Samba).
I'm moving the files into a directory labeled httpd_user_rw_content_t with
these Apache options:
Options None
AllowOverride None
RewriteEngine Off
php_admin_flag engine off
AddType text/plain .html .htm .shtml .php .js
The Apache options should prevent anything from being executed (though any
suggestions on improving this are welcomed).
I understand where this requirement is coming from. Many current web engines
nowadays allow you to install "extensions" or
"plugins" via web interface.
No, these are just image files, not code.
Regarding the rules you mentioned in your next message: I have similar rules
for my image directory, but SELinux does not apply them to this file. Since
the image is first uploaded to a temporary location, it has
type httpd_tmp_t, and it is not relabeled according to my policy when it is
moved into its final location.
-----Scott.