From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] I think we made a large mistake when we designed apache_content_template.
Date: Wed, 23 Oct 2013 13:57:05 -0400 [thread overview]
Message-ID: <52680DF1.3000700@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
type httpd_$1_content_t; # customizable;
typeattribute httpd_$1_content_t httpd_content_type;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t, httpd_content_type; # customizable;
typeattribute httpd_$1_htaccess_t httpd_content_type;
files_type(httpd_$1_htaccess_t)
THe problem I believe is we prefix the types with httpd_, I would like to
remove this and change the code to something like
type $1_http_content_t; # customizable;
typeattribute $1_http_content_t httpd_content_type;
files_type($1_http_content_t)
# This type is used for .htaccess files
type $1_http_htaccess_t, httpd_content_type; # customizable;
typeattribute $1_http_htaccess_t httpd_content_type;
files_type($1_http_htaccess_t)
# Type that CGI scripts run as
type $1_cgi_t, httpd_script_type;
domain_type($1_cgi_t)
role system_r types $1_cgi_t;
type $1_cgi_exec_t, httpd_script_exec_type; # customizable;
typeattribute $1_cgi_exec_t httpd_content_type;
typeattribute httpd_$1_rw_content_t httpd_content_type;
typealias $1_http_rw_content_t alias { httpd_$1_script_rw_t
httpd_$1_content_rw_t };
files_type($1_http_rw_content_t)
...
Then tools can look for all content which begins bugzilla and have the correct
types drawn.
http://danwalsh.livejournal.com/67007.html
Shows the problem of begging all apache cgi domains with httpd_
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJoDfEACgkQrlYvE4MpobMFXgCglA+7JfwUFhQ/YgBrmCDOBsfs
AJMAoJ1s5x+hOe6UHq0Mv41S6DIhxgkv
=j8Ab
-----END PGP SIGNATURE-----
next reply other threads:[~2013-10-23 17:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-23 17:57 Daniel J Walsh [this message]
2013-10-23 19:13 ` [refpolicy] I think we made a large mistake when we designed apache_content_template Dominick Grift
2013-10-23 19:14 ` Sven Vermeulen
2013-10-23 19:29 ` Dominick Grift
2013-10-23 19:30 ` Dominick Grift
2013-10-23 19:40 ` Daniel J Walsh
2013-10-23 19:38 ` Dominick Grift
2013-10-23 19:44 ` Daniel J Walsh
2013-10-23 20:22 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52680DF1.3000700@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.