User-Agent: Build Identifier: I try to get a mod_python application that needs write access to certain files to work with the targeted policy in fc3. I have tried to set the file type to httpd_sys_script_rw_t as descripbed in http://people.redhat.com/walters/selinux-apache-en/using-other-types.html but since mod_python scripts is run in the httpd_t scontext and not httpd_sys_script_t that still gives me a syslog message like this: Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc: denied { write } for pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Reproducible: Always Steps to Reproduce: 1. Try to run a mod_python program that needs to write to files. My example is MoinMoin installed in /opt/www/wiki with the attached configuration Actual Results: Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc: denied { write } for pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Expected Results: The same as I get when I have run 'setenforce 0', a working wiki app I suppose this applies to mod_perl as well, but I haven't tried.
Created attachment 106399 [details] mod_python config file
The syslog entry indicates that the file type was not changed to httpd_sys_script_rw_t. But it seems that write access to httpd_sys_script_rw_t is not granted for httpd_t. I think that we should enable such access.
Fixed in selinux-policy-targeted-1.17.30-2.23 Available on ftp://people.redhat.com/dwalsh/SELinux/FC3
Appears to be resolved in selinux-policy-targeted-1.17.30-2.35 /etc/selinux/targeted/src/policy/policy.conf:5759:allow httpd_t httpd_sys_script_rw_t:dir { read getattr lock search ioctl }; /etc/selinux/targeted/src/policy/policy.conf:5761:allow httpd_t httpd_sys_script_rw_t:file { read getattr lock ioctl }; /etc/selinux/targeted/src/policy/policy.conf:5763:allow httpd_t httpd_sys_script_rw_t:lnk_file { getattr read }; /etc/selinux/targeted/src/policy/policy.conf:6839:allow httpd_t httpd_sys_script_rw_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; /etc/selinux/targeted/src/policy/policy.conf:6841:allow httpd_t httpd_sys_script_rw_t:file { create ioctl read getattr lock write setattr append link unlink rename }; /etc/selinux/targeted/src/policy/policy.conf:6843:allow httpd_t httpd_sys_script_rw_t:lnk_file { create read getattr setattr link unlink rename }; In a quick test of installing Moin, I do not see the selinux denials. noa: please reopen this issue if a policy newer than comment#3 does not resolve your issue.