From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 14 Feb 2011 09:46:55 -0500 Subject: [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links. In-Reply-To: <20110213175834.GA8573@localhost.localdomain> References: <20110213175834.GA8573@localhost.localdomain> Message-ID: <4D59405F.8060606@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/13/2011 12:58 PM, Dominick Grift wrote: > From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100 > From: Dominick Grift > Date: Sun, 13 Feb 2011 18:55:09 +0100 > Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links. > > Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links. > > Signed-off-by: Dominick Grift > > diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if > index c9e1a44..6480167 100644 > --- a/policy/modules/services/apache.if > +++ b/policy/modules/services/apache.if > @@ -218,10 +218,15 @@ > > role $1 types httpd_user_script_t; > > - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; > - > allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; > > + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) > + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) > + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) > + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) > + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) > + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) > + > manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) > manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) > manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy I agree with this, Fedora Policy includes this change. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ZQF8ACgkQrlYvE4MpobOx5gCguWyjvQNfKAjv0pn27Ux1TcH4 jioAnjTFXWcgH++LyMtJ3f9092/F69Sr =d0SY -----END PGP SIGNATURE-----