* PATCH: Remove redundant role statement from the apache.te file.
@ 2007-02-18 23:40 Ryan Bradetich
2007-02-23 16:24 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Ryan Bradetich @ 2007-02-18 23:40 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 555 bytes --]
Hello all,
I am working on writing a policy for the Boa web server. I am using
the SELinux by example book and the apache modules for guidance.
Going through the apache.te file I noticed the following entry is
redundant:
role system_r types httpd_t;
This statement is provided as part of the init_daemon_domain interface
in the modules/system/init.if interface file. Here is the line in the
init_daemon_domain interface function:
role system_r types $1;
I have attached a patch to remove role entry from the apache.te file.
Thanks!
- Ryan
[-- Attachment #2: apache.te.diff --]
[-- Type: text/x-patch, Size: 450 bytes --]
Index: policy/modules/services/apache.te
===================================================================
--- policy/modules/services/apache.te (revision 2181)
+++ policy/modules/services/apache.te (working copy)
@@ -33,7 +33,6 @@
type httpd_t;
type httpd_exec_t;
init_daemon_domain(httpd_t,httpd_exec_t)
-role system_r types httpd_t;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PATCH: Remove redundant role statement from the apache.te file.
2007-02-18 23:40 PATCH: Remove redundant role statement from the apache.te file Ryan Bradetich
@ 2007-02-23 16:24 ` Christopher J. PeBenito
2007-02-24 16:00 ` Ryan Bradetich
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-02-23 16:24 UTC (permalink / raw)
To: Ryan Bradetich; +Cc: selinux
On Sun, 2007-02-18 at 15:40 -0800, Ryan Bradetich wrote:
> I am working on writing a policy for the Boa web server. I am using
> the SELinux by example book and the apache modules for guidance.
> Going through the apache.te file I noticed the following entry is
> redundant:
>
> role system_r types httpd_t;
>
> This statement is provided as part of the init_daemon_domain interface
> in the modules/system/init.if interface file. Here is the line in the
> init_daemon_domain interface function:
>
> role system_r types $1;
>
> I have attached a patch to remove role entry from the apache.te file.
Since this doesn't hurt anything, I'd rather just leave it since its all
over the policy right now. The issue is that if you rely on the
interface to allow the role the daemon type, you still have to allow the
role to any subdomains of the daemon (like httpd_sys_script_t)
explicitly. This makes the handling of the primary domain and sub
domains of a daemon slightly inconsistent.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PATCH: Remove redundant role statement from the apache.te file.
2007-02-23 16:24 ` Christopher J. PeBenito
@ 2007-02-24 16:00 ` Ryan Bradetich
0 siblings, 0 replies; 3+ messages in thread
From: Ryan Bradetich @ 2007-02-24 16:00 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux
Hello Chris,
Fair enough. I will reverse this patch from my local tree as well.
Thanks!
- Ryan
On 2/23/07, Christopher J. PeBenito <cpebenito@tresys.com> wrote:
> On Sun, 2007-02-18 at 15:40 -0800, Ryan Bradetich wrote:
> > I am working on writing a policy for the Boa web server. I am using
> > the SELinux by example book and the apache modules for guidance.
> > Going through the apache.te file I noticed the following entry is
> > redundant:
> >
> > role system_r types httpd_t;
> >
> > This statement is provided as part of the init_daemon_domain interface
> > in the modules/system/init.if interface file. Here is the line in the
> > init_daemon_domain interface function:
> >
> > role system_r types $1;
> >
> > I have attached a patch to remove role entry from the apache.te file.
>
> Since this doesn't hurt anything, I'd rather just leave it since its all
> over the policy right now. The issue is that if you rely on the
> interface to allow the role the daemon type, you still have to allow the
> role to any subdomains of the daemon (like httpd_sys_script_t)
> explicitly. This makes the handling of the primary domain and sub
> domains of a daemon slightly inconsistent.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-24 15:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-18 23:40 PATCH: Remove redundant role statement from the apache.te file Ryan Bradetich
2007-02-23 16:24 ` Christopher J. PeBenito
2007-02-24 16:00 ` Ryan Bradetich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.