From mboxrd@z Thu Jan 1 00:00:00 1970 From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 11 Feb 2013 17:35:29 -0500 Subject: [refpolicy] [PATCH/RFC] Reintroduce httpd_user_content_type and httpd_user_script_exec_type attributes In-Reply-To: <1360612981.2559.36.camel@d30> References: <20130211190233.GA11417@siphos.be> <1360611019.2559.22.camel@d30> <20130211193354.GA12406@siphos.be> <1360612981.2559.36.camel@d30> Message-ID: <51197231.30307@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/11/2013 03:03 PM, Dominick Grift wrote: > On Mon, 2013-02-11 at 20:33 +0100, Sven Vermeulen wrote: >> On Mon, Feb 11, 2013 at 08:30:19PM +0100, Dominick Grift wrote: >>>> The httpd_user_content_type and httpd_user_script_exec_type >>>> attributes were erroneously removed a while ago, but while trying to >>>> reintroduce them I did notice that they were removed because there >>>> was no way for users to actually use them (or I'm completely >>>> misreading the policy code). >>> >>> I still do not understand the purpose of this. Is there some actual >>> need for this? I deprecated the interface because it was unused and i >>> could not see a convincing need for it to exist. >>> >>> Can you enlighten me? What issue are you facing? Who, other than the >>> user needs to be able to manage user content/script dirs, files and >>> symlinks? >> >> I'll have to ask Christopher, I made this patch as a result of our >> previous thread on this matter (where I initially changed a deprecated >> function to reflect the removal of these types): >> >> http://oss.tresys.com/pipermail/refpolicy/2013-January/006255.html >> >> Wkr, Sven Vermeulen > > > Take a looks at why it did this: > >>>> interface(`apache_manage_all_user_content',` refpolicywarn(`$0($*) >>>> has been deprecated, use > apache_manage_all_content() instead.') >>>> apache_manage_all_content($1) ') > > any content was previously considered user content. This was wrong in my > view and so i did what i did i pointed it to apache_manage_all_content. > > I know that is also not optimal: > > so maybe change apache_manage_all_user_content() to: > > manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t > httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t > httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t > }) manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t > httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { > httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t > httpd_user_script_exec_t httpd_user_htaccess_t }) > manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t > httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t > httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t > }) > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > mkdir /etc/skel/public_html useradd dwalsh Will create /home/dwalsh/public_html I believe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEZcjEACgkQrlYvE4MpobMrCgCgxyl1S95Ge0Zca+Nosx9X04L3 R3kAoMO8arzP785N31vaSHiI2ub0p4rp =2Sae -----END PGP SIGNATURE-----