* w3c.te module policy [not found] ` <1142072726.19009.30.camel@bobcat.mine.nu> @ 2006-03-11 12:25 ` Daniel J Walsh 2006-03-14 15:39 ` Christopher J. PeBenito 0 siblings, 1 reply; 2+ messages in thread From: Daniel J Walsh @ 2006-03-11 12:25 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Ville Skyttä, Stephen Smalley, SE Linux [-- Attachment #1: Type: text/plain, Size: 657 bytes --] Ville has been trying to build a modular policy package for w3c. He created te,fc,if files similar to the ones I have attached. The problem is that when he compiles them he ends up with avc messages suggesting he needs these additional rules: allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read }; I have duplicated this on my machine. From my reading of the generated policy these should already exist. Examining the tmp/w3c.tmp file it looks like they are there (except for the execute_no_trans). They are wrapped in a boolean though. Is there something wrong in policy modules handling of booleans? [-- Attachment #2: w3c.te --] [-- Type: text/plain, Size: 458 bytes --] policy_module(w3c,1.2.1) apache_content_template(w3c) sysnet_dns_name_resolve(httpd_w3c_script_t) # allow httpd_w3c_script_t to connect to a relay corenet_tcp_connect_gopher_port(httpd_w3c_script_t) corenet_tcp_connect_ftp_port(httpd_w3c_script_t) corenet_tcp_connect_http_port(httpd_w3c_script_t) corenet_tcp_connect_http_cache_port(httpd_w3c_script_t) tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_w3c_script_t) ') [-- Attachment #3: w3c.fc --] [-- Type: text/plain, Size: 185 bytes --] /usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /usr/share/w3c-markup-validator/check gen_context(system_u:object_r:httpd_w3c_script_exec_t,s0) [-- Attachment #4: w3c.if --] [-- Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: w3c.te module policy 2006-03-11 12:25 ` w3c.te module policy Daniel J Walsh @ 2006-03-14 15:39 ` Christopher J. PeBenito 0 siblings, 0 replies; 2+ messages in thread From: Christopher J. PeBenito @ 2006-03-14 15:39 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Ville Skyttä, Stephen Smalley, SE Linux On Sat, 2006-03-11 at 07:25 -0500, Daniel J Walsh wrote: > Ville has been trying to build a modular policy package for w3c. He > created te,fc,if files similar to the ones I have attached. The problem > is that when he compiles them he ends up with avc messages suggesting he > needs these additional rules: > > allow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans > getattr ioctl read }; > > I have duplicated this on my machine. > > From my reading of the generated policy these should already exist. > Examining the tmp/w3c.tmp file it looks like they are there (except for > the execute_no_trans). They are wrapped in a boolean though. Is there > something wrong in policy modules handling of booleans? The transition from httpd_t to httpd_*_script_t is inside httpd_enable_cgi; if that is not enabled, then it makes sense that the perms listed above would be denied. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-03-14 15:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1140879631.15616.46.camel@bobcat.mine.nu>
[not found] ` <4411F026.4070508@redhat.com>
[not found] ` <1142072726.19009.30.camel@bobcat.mine.nu>
2006-03-11 12:25 ` w3c.te module policy Daniel J Walsh
2006-03-14 15:39 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.