-----BEGIN PGP SIGNED MESSAGE-----
Bruno Wolff III wrote:
On Mon, Nov 17, 2008 at 19:07:40 -0600,
Bruno Wolff III <bruno(a)wolff.to> wrote:
> On Mon, Nov 17, 2008 at 17:07:42 -0600,
> Bruno Wolff III <bruno(a)wolff.to> wrote:
>> There doesn't seem to be a http_user_script_exec_t type. Probably it's a
>> typo, but I didn't see a way to get a full list and didn't manage to
>> guess the correct name.
> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
> The guest policy (at least my modified version) does not allow access to
> files labelled httpd_user_script_exec_t.
> I'll keep putzing with this.
I have it working now. In the end I needed to give both execute and
execute_no_trans permission for tom_t running httpd_sys_script_exec_t.
The allow_xguest_exec_content and allow_guest_exec_content booleans
didn't seem to make a difference.
Going forward I might want to spend the time to dial this policy back
as I am executing the scripts with those types as an unconfined user
(or perhaps I should use the user_u role) and I'd like to prevent tom_t
from changing them (or replacing the files) with selinux.
I was having trouble finding what the manage_files_pattern and
manage_dirs_pattern macros expand to and exactly what functions some
of the permissions allow. Is there any good documentation of these things
A couple of things, people have asked for the ability to stop the
execution of programs in the homedir. So the least priv app does not
have the ability to execute content. Since xguest has the ability to
execute perl, sh, python and other interpreters, the value of shutting
down execution in the homedir is questionable. This means
~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The
blocking of execution does work for all compiled code.
The policy is for the boolean allows the execution of user_home_t, but
not other labeled file in the homedir, which is a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----