* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
@ 2011-02-13 17:58 Dominick Grift
2011-02-14 14:46 ` Daniel J Walsh
2011-02-16 14:44 ` Christopher J. PeBenito
0 siblings, 2 replies; 3+ messages in thread
From: Dominick Grift @ 2011-02-13 17:58 UTC (permalink / raw)
To: refpolicy
>From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
From: Dominick Grift <domg472@gmail.com>
Date: Sun, 13 Feb 2011 18:55:09 +0100
Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Signed-off-by: Dominick Grift <domg472@gmail.com>
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a44..6480167 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -218,10 +218,15 @@
role $1 types httpd_user_script_t;
- allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110213/8a6e95ae/attachment.bin
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
@ 2011-02-14 14:46 ` Daniel J Walsh
2011-02-16 14:44 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2011-02-14 14:46 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/13/2011 12:58 PM, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <domg472@gmail.com>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
>
> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>
> role $1 types httpd_user_script_t;
>
> - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
> allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>
> + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
> manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I agree with this, Fedora Policy includes this change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ZQF8ACgkQrlYvE4MpobOx5gCguWyjvQNfKAjv0pn27Ux1TcH4
jioAnjTFXWcgH++LyMtJ3f9092/F69Sr
=d0SY
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
2011-02-14 14:46 ` Daniel J Walsh
@ 2011-02-16 14:44 ` Christopher J. PeBenito
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2011-02-16 14:44 UTC (permalink / raw)
To: refpolicy
On 02/13/11 12:58, Dominick Grift wrote:
> From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
> From: Dominick Grift <domg472@gmail.com>
> Date: Sun, 13 Feb 2011 18:55:09 +0100
> Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
Merged.
> diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
> index c9e1a44..6480167 100644
> --- a/policy/modules/services/apache.if
> +++ b/policy/modules/services/apache.if
> @@ -218,10 +218,15 @@
>
> role $1 types httpd_user_script_t;
>
> - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
> -
> allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
>
> + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
> +
> manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
> manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-02-16 14:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-13 17:58 [refpolicy] [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links Dominick Grift
2011-02-14 14:46 ` Daniel J Walsh
2011-02-16 14:44 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.