httpd_sys_content_rw_t
Miroslav Grepl
mgrepl at redhat.com
Tue Sep 27 13:51:19 UTC 2011
On 09/27/2011 11:37 AM, Vadym Chepkov wrote:
> On Sep 27, 2011, at 9:01 AM, Miroslav Grepl wrote:
>
>> On 09/25/2011 12:34 AM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> I think man httpd_selinux is outdated in RHEL6
>>>
>>> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>>>
>>> at least rectorecon is trying to correct it all the time :
>>>
>>> for example:
>>>
>>> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:httpd_sys_content_rw_t:s0
>>>
>>> Vadym
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Vadym,
>>
>> rpm -q selinux-policy
>
> Yep, I upgraded to 6.1 and manual was changed. It is still inconsistent though:
>
> selinux-policy-3.7.19-93.el6_1.7.noarch
>
> man httpd_selinux
>
> httpd_sys_rw_content_t
> - Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and dis-
> allow other non sys scripts from access.
> httpd_sys_content_ra_t
> - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and
> disallow other non sys scripts from access.
>
> why "rw" is a prefix, but "ra" is a suffix ?
>
> Thanks,
> Vadym
>
>
We have more fixes in the latest RHEL6.2 policy but this is a bug which
needs to be fixed.
More information about the selinux
mailing list