FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-25-2011, 12:34 AM
Vadym Chepkov
 
Default httpd_sys_content_rw_t

Hi,

I think man httpd_selinux is outdated in RHEL6

it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.

at least rectorecon is trying to correct it all the time :

for example:

restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0

Vadym

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-25-2011, 12:36 AM
Vadym Chepkov
 
Default httpd_sys_content_rw_t

And another mixup :

restorecon reset /root/.ssh context system_ubject_r:ssh_home_t:s0->system_ubject_r:home_ssh_t:s0
restorecon reset /root/.ssh/known_hosts context system_ubject_r:ssh_home_t:s0->system_ubject_r:home_ssh_t:s0


On Sep 24, 2011, at 8:34 PM, Vadym Chepkov wrote:

> Hi,
>
> I think man httpd_selinux is outdated in RHEL6
>
> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>
> at least rectorecon is trying to correct it all the time :
>
> for example:
>
> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>
> Vadym
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-25-2011, 08:12 AM
Dominick Grift
 
Default httpd_sys_content_rw_t

On Sat, 2011-09-24 at 20:34 -0400, Vadym Chepkov wrote:
> Hi,
>
> I think man httpd_selinux is outdated in RHEL6
>
> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.

Both are valid, they are aliased but restorecon preferes the other, but
it does not matter both are the same.

> at least rectorecon is trying to correct it all the time :
>
> for example:
>
> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>
> Vadym
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-26-2011, 01:23 PM
Daniel J Walsh
 
Default httpd_sys_content_rw_t

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2011 08:36 PM, Vadym Chepkov wrote:
> And another mixup :
>
> restorecon reset /root/.ssh context
> system_ubject_r:ssh_home_t:s0->system_ubject_r:home_ssh_t:s0
> restorecon reset /root/.ssh/known_hosts context
> system_ubject_r:ssh_home_t:s0->system_ubject_r:home_ssh_t:s0
>
>
> On Sep 24, 2011, at 8:34 PM, Vadym Chepkov wrote:
>
>> Hi,
>>
>> I think man httpd_selinux is outdated in RHEL6
>>
>> it looks like proper name for httpd_sys_content_rw_t is
>> httpd_sys_rw_content_t.
>>
>> at least rectorecon is trying to correct it all the time :
>>
>> for example:
>>
>> restorecon reset
>> /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg
>> context
>> system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>>
>>
>>
Vadym
>>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Yes this should be fixed in the docs, F16 and later already have the fix.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6AfLUACgkQrlYvE4MpobOjgQCeLg5RLwGwGh 23zq9yroyBPwzQ
6/EAnjc4MyLugqTL8CX/m1dbqereCgXX
=3vxj
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-27-2011, 11:37 AM
Vadym Chepkov
 
Default httpd_sys_content_rw_t

On Sep 27, 2011, at 9:01 AM, Miroslav Grepl wrote:

> On 09/25/2011 12:34 AM, Vadym Chepkov wrote:
>> Hi,
>>
>> I think man httpd_selinux is outdated in RHEL6
>>
>> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>>
>> at least rectorecon is trying to correct it all the time :
>>
>> for example:
>>
>> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>>
>> Vadym
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Vadym,
>
> rpm -q selinux-policy


Yep, I upgraded to 6.1 and manual was changed. It is still inconsistent though:

selinux-policy-3.7.19-93.el6_1.7.noarch

man httpd_selinux

httpd_sys_rw_content_t
- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and dis-
allow other non sys scripts from access.
httpd_sys_content_ra_t
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and
disallow other non sys scripts from access.

why "rw" is a prefix, but "ra" is a suffix ?

Thanks,
Vadym


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-27-2011, 01:01 PM
Miroslav Grepl
 
Default httpd_sys_content_rw_t

On 09/25/2011 12:34 AM, Vadym Chepkov wrote:
> Hi,
>
> I think man httpd_selinux is outdated in RHEL6
>
> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>
> at least rectorecon is trying to correct it all the time :
>
> for example:
>
> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>
> Vadym
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Vadym,

rpm -q selinux-policy
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-27-2011, 01:51 PM
Miroslav Grepl
 
Default httpd_sys_content_rw_t

On 09/27/2011 11:37 AM, Vadym Chepkov wrote:
> On Sep 27, 2011, at 9:01 AM, Miroslav Grepl wrote:
>
>> On 09/25/2011 12:34 AM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> I think man httpd_selinux is outdated in RHEL6
>>>
>>> it looks like proper name for httpd_sys_content_rw_t is httpd_sys_rw_content_t.
>>>
>>> at least rectorecon is trying to correct it all the time :
>>>
>>> for example:
>>>
>>> restorecon reset /var/www/sel_blog/wp-content/uploads/2011/01/logo-150x150.jpg context system_ubject_r:httpd_sys_rw_content_t:s0->system_ubject_r:httpd_sys_content_rw_t:s0
>>>
>>> Vadym
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Vadym,
>>
>> rpm -q selinux-policy
>
> Yep, I upgraded to 6.1 and manual was changed. It is still inconsistent though:
>
> selinux-policy-3.7.19-93.el6_1.7.noarch
>
> man httpd_selinux
>
> httpd_sys_rw_content_t
> - Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and dis-
> allow other non sys scripts from access.
> httpd_sys_content_ra_t
> - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and
> disallow other non sys scripts from access.
>
> why "rw" is a prefix, but "ra" is a suffix ?
>
> Thanks,
> Vadym
>
>
We have more fixes in the latest RHEL6.2 policy but this is a bug which
needs to be fixed.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org