On 07/21/2009 03:24 PM, Daniel J Walsh wrote:
On 07/18/2009 11:03 PM, Vadym Chepkov wrote:
> Hi,
>
> I have a question about httpd interface on RedHat 5.3
> selinux-policy-targeted-2.4.6-203.el5
>
> I have httpd_unified --> off
> and I defined domain for subversion:
>
> apache_content_template(svn)
>
> I labeled my subversion hooks as httpd_svn_script_exec_t
> and I expected it will be able to read files labeled as httpd_svn_content_t, but it
is not the case:
>
> type=AVC msg=audit(1247931060.612:40993): avc: denied { read } for pid=21405
comm="svn-mailer" name="svn-mailer.cfg" dev=sda1 ino=773360
scontext=user_u:system_r:httpd_svn_script_t:s0
tcontext=system_u:object_r:httpd_svn_content_t:s0 tclass=file
>
> # sesearch -a -s httpd_svn_script_t -t httpd_svn_content_t
> Found 1 av rules:
> allow httpd_svn_script_t httpd_svn_content_t : dir { getattr search };
>
I would say this is a bug.
> The question is, why only this and nothing else?
>
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RHEL5 defined httpd_$1_script_ro_t with it is allowing to read. In Fedora we have merged
the two together.
I am updating the RHEL5.4 policy to include
list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
selinux-policy-2.4.6-254.el5.src.rpm