From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 20 Jun 2012 19:39:25 +0200
Subject: [refpolicy] [PATCH 1/1] Support read/append/manage functions
 for various httpd content
In-Reply-To: <1340212343.9690.28.camel@x220.mydomain.internal>
References: <20120620161531.GE7987@siphos.be>
	<1340212343.9690.28.camel@x220.mydomain.internal>
Message-ID: <1340213965.9690.33.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2012-06-20 at 19:12 +0200, Dominick Grift wrote:
> 
> Example:
> 
> ########################################
> ## <summary>
> ##	Append to all appendable web content files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`apache_append_all_ra_content_files',`
>     gen_require(`
> 	attribute httpd_ra_content;
>    ')
> 
>    apache_search_sys_content($1)
>    append_files_pattern($1, httpd_ra_content, httpd_ra_content)
> ')

This example actually isnt optimal either

because now it still cant traverse httpcontent dirs

consider the following:

/var/www/www_bla_com/webapp1/logs

where webapp1 dir is labeled httpd_bla_content_t and logs is labeled
httpd_bla_ra_content_t

caller will need to traverse: /var, www, www_bla_com, webapp1 and logs

so youd need to instead of apache_search_sys_content use
apache_search_all_content.