All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
@ 2011-02-13 17:58 Dominick Grift
  2011-02-14 14:46 ` Daniel J Walsh
  2011-02-16 14:44 ` Christopher J. PeBenito
  0 siblings, 2 replies; 3+ messages in thread
From: Dominick Grift @ 2011-02-13 17:58 UTC (permalink / raw)
  To: refpolicy

>From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
From: Dominick Grift <domg472@gmail.com>
Date: Sun, 13 Feb 2011 18:55:09 +0100
Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.

Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.

Signed-off-by: Dominick Grift <domg472@gmail.com>

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a44..6480167 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -218,10 +218,15 @@
 
 	role $1 types httpd_user_script_t;
 
-	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
 	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
 
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
 	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
 	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
 	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110213/8a6e95ae/attachment.bin 

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
  2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
@ 2011-02-14 14:46 ` Daniel J Walsh
  2011-02-16 14:44 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2011-02-14 14:46 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2011 12:58 PM, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <domg472@gmail.com>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
> 
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>  
>  	role $1 types httpd_user_script_t;
>  
> -	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
>  	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>  
> +	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
>  	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>  	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>  	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

I agree with this, Fedora Policy includes this change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ZQF8ACgkQrlYvE4MpobOx5gCguWyjvQNfKAjv0pn27Ux1TcH4
jioAnjTFXWcgH++LyMtJ3f9092/F69Sr
=d0SY
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
  2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
  2011-02-14 14:46 ` Daniel J Walsh
@ 2011-02-16 14:44 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2011-02-16 14:44 UTC (permalink / raw)
  To: refpolicy

On 02/13/11 12:58, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <domg472@gmail.com>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
> 
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
> 
> Signed-off-by: Dominick Grift <domg472@gmail.com>

Merged.

> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>  
>  	role $1 types httpd_user_script_t;
>  
> -	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
>  	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>  
> +	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
>  	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>  	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>  	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-02-16 14:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
2011-02-14 14:46 ` Daniel J Walsh
2011-02-16 14:44 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.