On Tue, Oct 4, 2011 at 7:00 AM, Vadym Chepkov <span dir="ltr">&lt;<a href="mailto:vchepkov@gmail.com">vchepkov@gmail.com</a>&gt;</span> wrote:<div>[ ... ]<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">


I think it&#39;s one of those cases where if a person asks how to shoot himself, he shouldn&#39;t be provided any recipes :)<br></blockquote><div><br></div><div>The <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); ">httpd_tmp_t does not provide any security advantage here, it is fully accessible by the Web server, just not accessible by other tools that we use in our development process (in particular Samba).</span></div>

<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); ">I&#39;m moving the files into a directory labeled httpd_user_rw_content_t with these Apache options:</span></div>

<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); "><br></span></div></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">

<div><div class="gmail_quote"><div><span class="Apple-style-span" style="font-size: 13px; background-color: rgb(255, 255, 255); "><font class="Apple-style-span" face="&#39;courier new&#39;, monospace"><div> Options None</div>

</font></span></div></div></div><div><div class="gmail_quote"><div><span class="Apple-style-span" style="font-size: 13px; background-color: rgb(255, 255, 255); "><font class="Apple-style-span" face="&#39;courier new&#39;, monospace"><div>

 AllowOverride None</div></font></span></div></div></div><div><div class="gmail_quote"><div><span class="Apple-style-span" style="font-size: 13px; background-color: rgb(255, 255, 255); "><font class="Apple-style-span" face="&#39;courier new&#39;, monospace"><div>

 RewriteEngine Off</div></font></span></div></div></div><div><div class="gmail_quote"><div><span class="Apple-style-span" style="font-size: 13px; background-color: rgb(255, 255, 255); "><font class="Apple-style-span" face="&#39;courier new&#39;, monospace"><div>

 php_admin_flag engine off</div></font></span></div></div></div><div><div class="gmail_quote"><div><span class="Apple-style-span" style="font-size: 13px; background-color: rgb(255, 255, 255); "><font class="Apple-style-span" face="&#39;courier new&#39;, monospace"><div>

 AddType text/plain .html .htm .shtml .php .js</div></font></span></div></div></div></blockquote><div><div class="gmail_quote"><div><br></div><div>The Apache options should prevent anything from being executed (though any suggestions on improving this are welcomed).</div>

<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I understand where this requirement is coming from. Many current web engines nowadays allow you to install &quot;extensions&quot; or &quot;plugins&quot; via web interface.<br></blockquote><div><br></div><div>No, these are just image files, not code.</div>

<div><br></div><div>Regarding the rules you mentioned in your next message: I have similar rules for my image directory, but SELinux does not apply them to this file.  Since the image is first uploaded to a temporary location, it has type httpd_tmp_t, and it is not relabeled according to my policy when it is moved into its final location.</div>

<div><br></div><div>-----Scott.</div><div><br></div></div></div>