httpd_sys_content_rw_t

[Miroslav Grepl]

On 09/27/2011 11:37 AM, Vadym Chepkov wrote:
> On Sep 27, 2011, at 9:01 AM, Miroslav Grepl wrote:
>
>> On 09/25/2011 12:34 AM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> I think man httpd_selinux is outdated in RHEL6
>>>
>>> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>>>
>>> at least rectorecon is trying to correct it all the time :
>>>
>>> for example:
>>>
>>> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:httpd_sys_content_rw_t:s0
>>>
>>> Vadym
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Vadym,
>>
>> rpm -q selinux-policy
>
> Yep, I upgraded to 6.1 and manual was changed. It is still inconsistent though:
>
> selinux-policy-3.7.19-93.el6_1.7.noarch
>
> man httpd_selinux
>
>        httpd_sys_rw_content_t
>         - Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and dis-
>         allow other non sys scripts from access.
>         httpd_sys_content_ra_t
>         - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file,  and
>         disallow other non sys scripts from access.
>
> why "rw" is a prefix, but "ra" is a suffix ?
>
> Thanks,
> Vadym
>
>
We have more fixes in the latest RHEL6.2 policy but this is a bug which 
needs to be fixed.