Allowing apache to read custom types

Allowing apache to read custom types

[Karl MacMillan]

I had a coworker ask about how to allow apache to read a custom type for
a policy that he wrote. Essentially, the policy is not focused on web
pages so it is not really ideal for the types to be generated from the
apache templates. I couldn't find any interfaces to allow apache to read
external types (I understand that these would be "reverse" interfaces -
but it seems like the most convenient way).

Am I just missing the best approach here?

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Allowing apache to read custom types

[Daniel J Walsh]

Karl MacMillan wrote:
> I had a coworker ask about how to allow apache to read a custom type for
> a policy that he wrote. Essentially, the policy is not focused on web
> pages so it is not really ideal for the types to be generated from the
> apache templates. I couldn't find any interfaces to allow apache to read
> external types (I understand that these would be "reverse" interfaces -
> but it seems like the most convenient way).
>
> Am I just missing the best approach here?
>
> Karl
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   
We could add an attribute

apache_readable and an interface to define it.

read_file_pattern(httpd_t,  apache_readable, apache_readable)
read_file_pattern(httpd_sys_script_t,  apache_readable, apache_readable)



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Allowing apache to read custom types

[Karl MacMillan]

On Mon, 2007-07-02 at 16:35 -0400, Daniel J Walsh wrote:
> Karl MacMillan wrote:
> > I had a coworker ask about how to allow apache to read a custom type for
> > a policy that he wrote. Essentially, the policy is not focused on web
> > pages so it is not really ideal for the types to be generated from the
> > apache templates. I couldn't find any interfaces to allow apache to read
> > external types (I understand that these would be "reverse" interfaces -
> > but it seems like the most convenient way).
> >
> > Am I just missing the best approach here?
> >
> > Karl
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >   
> We could add an attribute
> 
> apache_readable and an interface to define it.
> 
> read_file_pattern(httpd_t,  apache_readable, apache_readable)
> read_file_pattern(httpd_sys_script_t,  apache_readable, apache_readable)
> 

And an interface to use it? Are there other "reverse" interfaces
already?

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Allowing apache to read custom types

[Daniel J Walsh]

Karl MacMillan wrote:
> On Mon, 2007-07-02 at 16:35 -0400, Daniel J Walsh wrote:
>   
>> Karl MacMillan wrote:
>>     
>>> I had a coworker ask about how to allow apache to read a custom type for
>>> a policy that he wrote. Essentially, the policy is not focused on web
>>> pages so it is not really ideal for the types to be generated from the
>>> apache templates. I couldn't find any interfaces to allow apache to read
>>> external types (I understand that these would be "reverse" interfaces -
>>> but it seems like the most convenient way).
>>>
>>> Am I just missing the best approach here?
>>>
>>> Karl
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>   
>>>       
>> We could add an attribute
>>
>> apache_readable and an interface to define it.
>>
>> read_file_pattern(httpd_t,  apache_readable, apache_readable)
>> read_file_pattern(httpd_sys_script_t,  apache_readable, apache_readable)
>>
>>     
>
> And an interface to use it? Are there other "reverse" interfaces
> already?
>
> Karl
>
>   
All attribute interfaces are reverse interfaces.  If I say this is a 
logfile_type
Any domain that can access logfiles can now access it.  So I guess 
saying something is
apache_content_type would work the same.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.