From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 23 Oct 2013 13:57:05 -0400
Subject: [refpolicy] I think we made a large mistake when we designed
	apache_content_template.
Message-ID: <52680DF1.3000700@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	type httpd_$1_content_t; # customizable;
	typeattribute httpd_$1_content_t httpd_content_type;
	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
	files_type(httpd_$1_content_t)

	# This type is used for .htaccess files
	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
	typeattribute httpd_$1_htaccess_t httpd_content_type;
	files_type(httpd_$1_htaccess_t)

THe problem I believe is we prefix the types with httpd_, I would like to
remove this and change the code to something like


	type $1_http_content_t; # customizable;
	typeattribute $1_http_content_t httpd_content_type;
	files_type($1_http_content_t)

	# This type is used for .htaccess files
	type $1_http_htaccess_t, httpd_content_type; # customizable;
	typeattribute $1_http_htaccess_t httpd_content_type;
	files_type($1_http_htaccess_t)

	# Type that CGI scripts run as
	type $1_cgi_t,	httpd_script_type;
	domain_type($1_cgi_t)
	role system_r types $1_cgi_t;	
	type $1_cgi_exec_t, httpd_script_exec_type; # customizable;
	typeattribute $1_cgi_exec_t httpd_content_type;
	typeattribute httpd_$1_rw_content_t httpd_content_type;

	typealias $1_http_rw_content_t alias { httpd_$1_script_rw_t
httpd_$1_content_rw_t };
	files_type($1_http_rw_content_t)

...

Then tools can look for all content which begins bugzilla and have the correct
types drawn.

http://danwalsh.livejournal.com/67007.html

Shows the problem of begging all apache cgi domains with httpd_

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJoDfEACgkQrlYvE4MpobMFXgCglA+7JfwUFhQ/YgBrmCDOBsfs
AJMAoJ1s5x+hOe6UHq0Mv41S6DIhxgkv
=j8Ab
-----END PGP SIGNATURE-----