Hello,
mediawiki software has a following script, ImageMagick gets invoked using it:
$ cat /var/www/mediawiki/bin/ulimit4.sh #!/bin/bash
ulimit -t $1 -v $2 -f $3 eval "$4"
I added /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0
into local policy. I receive the following AVC denial:
type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
audit2allow suggests the following:
allow httpd_sys_script_t httpd_t:file read;
but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion? Thank you.
Sincerely yours, Vadym Chepkov