total newbie audit2allow question
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 17 13:12:49 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/16/2013 03:23 PM, Richard Greenwood wrote:
> I have a CGI application named "mapserv" that needs to write to a specific
> location: "/rwg/mapserver/tmp". I ran audit2allow which produced the
> test.te file file below. I ran "semodule -i test.pp" and my CGI application
> is now happy, and so you would think that I should be happy also. But I am
> confused/concerned because I do not see "mapserv" nor do I see
> "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of the
> te file below is that I have just granted all httpd scripts permission to
> write to any directory. I did a quick test and this is thankfully /NOT/ the
> case, but how does selinx know that I am granting only the "mapserv"
> application write permissions to only the "/rwg/mapserver/tmp" directory? I
> feel like there is a big piece that I am completely missing.
>
> Thanks for your patience with a newbie. Rich
>
>
> module test 1.0;
>
> require { type httpd_sys_content_t; type httpd_sys_script_t; class dir
> add_name; class file { write create }; }
>
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> httpd_sys_content_t:dir add_name; allow httpd_sys_script_t
> httpd_sys_content_t:file { write create };
>
>
> -- Richard Greenwood richard.greenwood at gmail.com
> <mailto:richard.greenwood at gmail.com> www.greenwoodmap.com
> <http://www.greenwoodmap.com>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I just wrote a blog on this.
http://danwalsh.livejournal.com/63137.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFun9EACgkQrlYvE4MpobMGSQCgz8ln7JFGDZTmwq/ruqR2bQVE
pjwAnjRKFXGT8Dbeo+1V3jWw+lFRn3ks
=B7w0
-----END PGP SIGNATURE-----
More information about the selinux
mailing list