On 07/23/2009 10:43 AM, Stephen Smalley wrote:
On Wed, 2009-07-22 at 22:19 +0200, Dominick Grift wrote:
On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Because users may choose to customize the labeling of their web hierarchy and we didn't want restorecon to clobber it. These days that isn't so necessary because users can use semanage fcontext -a to add entries for their customizations, and that is why customizable_types in F11 doesn't include those types.
But should http_user_{content,content_rw,script_exec}_t not be customizable types though?
Afaik unpriv users cannot use semanage fcontext. What if a unpriv user tries to configure a custom apache homedir for example (~/mywww)
Will that not be relabeled upon restorecon -R -v /home?
Good question. Dan?
Policy access control, if it ever reaches maturity and integration, could possibly allow unprivileged users to add semanage fcontext entries for their own home directory contents.
Dominick has a good point. I was thinking only in terms of administrators. I will fix in Rawhide.
svirt_image_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_content_ra_t httpd_user_content_rw_t httpd_user_content_t