From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: "Ville Skyttä" <ville.skytta@iki.fi>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"SE Linux" <selinux@tycho.nsa.gov>
Subject: w3c.te module policy
Date: Sat, 11 Mar 2006 07:25:49 -0500 [thread overview]
Message-ID: <4412C1CD.6080808@redhat.com> (raw)
In-Reply-To: <1142072726.19009.30.camel@bobcat.mine.nu>
[-- Attachment #1: Type: text/plain, Size: 657 bytes --]
Ville has been trying to build a modular policy package for w3c. He
created te,fc,if files similar to the ones I have attached. The problem
is that when he compiles them he ends up with avc messages suggesting he
needs these additional rules:
allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans
getattr ioctl read };
I have duplicated this on my machine.
From my reading of the generated policy these should already exist.
Examining the tmp/w3c.tmp file it looks like they are there (except for
the execute_no_trans). They are wrapped in a boolean though. Is there
something wrong in policy modules handling of booleans?
[-- Attachment #2: w3c.te --]
[-- Type: text/plain, Size: 458 bytes --]
policy_module(w3c,1.2.1)
apache_content_template(w3c)
sysnet_dns_name_resolve(httpd_w3c_script_t)
# allow httpd_w3c_script_t to connect to a relay
corenet_tcp_connect_gopher_port(httpd_w3c_script_t)
corenet_tcp_connect_ftp_port(httpd_w3c_script_t)
corenet_tcp_connect_http_port(httpd_w3c_script_t)
corenet_tcp_connect_http_cache_port(httpd_w3c_script_t)
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_w3c_script_t)
')
[-- Attachment #3: w3c.fc --]
[-- Type: text/plain, Size: 185 bytes --]
/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/usr/share/w3c-markup-validator/check gen_context(system_u:object_r:httpd_w3c_script_exec_t,s0)
[-- Attachment #4: w3c.if --]
[-- Type: text/plain, Size: 0 bytes --]
next parent reply other threads:[~2006-03-11 12:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1140879631.15616.46.camel@bobcat.mine.nu>
[not found] ` <4411F026.4070508@redhat.com>
[not found] ` <1142072726.19009.30.camel@bobcat.mine.nu>
2006-03-11 12:25 ` Daniel J Walsh [this message]
2006-03-14 15:39 ` w3c.te module policy Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4412C1CD.6080808@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=ville.skytta@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.