From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 11 Feb 2013 20:30:19 +0100
Subject: [refpolicy] [PATCH/RFC] Reintroduce httpd_user_content_type and
 httpd_user_script_exec_type attributes
In-Reply-To: <20130211190233.GA11417@siphos.be>
References: <20130211190233.GA11417@siphos.be>
Message-ID: <1360611019.2559.22.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2013-02-11 at 20:02 +0100, Sven Vermeulen wrote:
> Hi all,
> 
> The httpd_user_content_type and httpd_user_script_exec_type attributes were
> erroneously removed a while ago, but while trying to reintroduce them I did
> notice that they were removed because there was no way for users to actually
> use them (or I'm completely misreading the policy code).
> 
> Below a first attempt at the patch, which also introduces two interfaces:
> apache_user_content_type() and apache_user_script_exec_type(), which assigns
> the given types the attributes again.
> 
> However, when trying to find out if/when the Apache domain (httpd_t) should
> be able to execute the httpd_user_script_exec_type-labeled files (and read
> httpd_user_content_type-labeled files) I'm getting a bit lost and hopefully
> you can give me some guidance...
> 
> Should I allow execute rights on httpd_user_script_exec_type if
> httpd_enable_cgi (boolean) and httpd_enable_homedirs (boolean) is set? And
> httpd_enable_homedirs (boolean) for reading httpd_user_content_type?
> 
> Wkr,
> 	Sven Vermeulen
> 

I still do not understand the purpose of this. Is there some actual need
for this? I deprecated the interface because it was unused and i could
not see a convincing need for it to exist.

Can you enlighten me? What issue are you facing? Who, other than the
user needs to be able to manage user content/script dirs, files and
symlinks?