total newbie audit2allow question

Richard Greenwood richard.greenwood at gmail.com
Wed Apr 17 15:12:43 UTC 2013 

On Wed, Apr 17, 2013 at 7:12 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/16/2013 03:23 PM, Richard Greenwood wrote:
> > I have a CGI application named "mapserv" that needs to write to a
> specific
> > location: "/rwg/mapserver/tmp". I ran audit2allow which produced the
> > test.te file file below. I ran "semodule -i test.pp" and my CGI
> application
> > is now happy, and so you would think that I should be happy also. But I
> am
> > confused/concerned because I do not see "mapserv" nor do I see
> > "/rwg/mapserver/tmp" in the te file. So my uninformed interpretation of
> the
> > te file below is that I have just granted all httpd scripts permission to
> > write to any directory. I did a quick test and this is thankfully /NOT/
> the
> > case, but how does selinx know that I am granting only the "mapserv"
> > application write permissions to only the "/rwg/mapserver/tmp"
> directory? I
> > feel like there is a big piece that I am completely missing.
> >
> > Thanks for your patience with a newbie. Rich
> >
> >
> > module test 1.0;
> >
> > require { type httpd_sys_content_t; type httpd_sys_script_t; class dir
> > add_name; class file { write create }; }
> >
> > #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> > httpd_sys_content_t:dir add_name; allow httpd_sys_script_t
> > httpd_sys_content_t:file { write create };
> >
> >
> > -- Richard Greenwood richard.greenwood at gmail.com
> > <mailto:richard.greenwood at gmail.com> www.greenwoodmap.com
> > <http://www.greenwoodmap.com>
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> I just wrote a blog on this.
>
> http://danwalsh.livejournal.com/63137.html
>
>
Rejy, Dominick and Daniel,

Thank you for the detail explanations and blog post. I'm not really having
a problem with my CGI app, nor am I trying to create a custom type. I'm
just trying to get a better understanding of SELinux generally, and
specifically what policies audit2allow is creating. Your answers have
gotten me a little closer.

Thanks,
Rich

-- 
Richard Greenwood
richard.greenwood at gmail.com
www.greenwoodmap.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130417/1b1a9668/attachment.html>

More information about the selinux mailing list