On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote:
You can't have multiple contexts for a file, so it's not
possible AFAIK
to have both the original context *and* public_content_rw_t.
Correct. See the "Multiple contexts" thread on the selinux list from
Jan 10 2005 for a discussion of why multiple contexts per file is a bad
idea. In short, it makes information flow analysis impossible without
considering the entire filesystem state.
If your web server is only serving static data (nothing that
requires
write access to /var/www for the web server itself), you could
relabel /var/www/* as public_content_t. If you have internal scripting
like PHP that needs write access, you could use public_content_rw_t.
However, if you're using cgi scripts that currently need
httpd_script_exec_t, you'd need to generate a local policy module that
allowed samba to read/write the httpd_* types.
Yes, local policy module seems like the sanest choice. If this is a
common situation, I suppose it could be incorporated into the upstream
policy under a boolean.
--
Stephen Smalley
National Security Agency