>From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
From: Dominick Grift <[email protected]>
Date: Sun, 13 Feb 2011 18:55:09 +0100
Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a44..6480167 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -218,10 +218,15 @@
role $1 types httpd_user_script_t;
- allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110213/8a6e95ae/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/13/2011 12:58 PM, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <[email protected]>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Signed-off-by: Dominick Grift <[email protected]>
>
> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>
> role $1 types httpd_user_script_t;
>
> - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
> allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>
> + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
> manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I agree with this, Fedora Policy includes this change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ZQF8ACgkQrlYvE4MpobOx5gCguWyjvQNfKAjv0pn27Ux1TcH4
jioAnjTFXWcgH++LyMtJ3f9092/F69Sr
=d0SY
-----END PGP SIGNATURE-----
On 02/13/11 12:58, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <[email protected]>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Signed-off-by: Dominick Grift <[email protected]>
Merged.
> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>
> role $1 types httpd_user_script_t;
>
> - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
> allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>
> + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
> manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com