I have a CGI application named "mapserv" that needs to write to a specific location: "/rwg/mapserver/tmp". I ran audit2allow which produced the test.te file file below. I ran "semodule -i test.pp" and my CGI application is now happy, and so you would think that I should be happy also. But I am confused/concerned because I do not see "mapserv" nor do I see "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the te file below is that I have just granted all httpd scripts permission to write to any directory. I did a quick test and this is thankfully NOT the case, but how does selinx know that I am granting only the "mapserv" application write permissions to only the "/rwg/mapserver/tmp" directory? I feel like there is a big piece that I am completely missing.

Thanks for your patience with a newbie.

Rich

module test 1.0;

require {
        type httpd_sys_content_t;
        type httpd_sys_script_t;
        class dir add_name;
        class file { write create };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
allow httpd_sys_script_t httpd_sys_content_t:file { write create };

--
Richard Greenwood
richard.greenwood@gmail.com
www.greenwoodmap.com