I think the best way to illustrate the point of creating a role for content administration is showing an example.
In file /etc/security/selinux/src/policy/users, added this line:
user webadmin roles { user_r httpd_admin_r };
And created the file /etc/security/selinux/src/policy/domains/misc/webadmin.te with the following content:
#DESC httpd_admin_t - Domain for web content administrators.
#
#################################
# httpd_admin_t has access to all of the httpd files, such as
# the configuration files and the log files. They also
# have access to system content and/or user content
#
full_user_role(httpd_admin)
priv_user(httpd_admin)
role_tty_type_change(user, httpd_admin)
create_dir_file(httpd_admin_t, user_home_dir_t)
allow httpd_admin_t user_home_t:file create_file_perms;
###########################################################################
# Allow the httpd admin to edit or create content
##########################################################################
create_dir_file(httpd_admin_t, httpd_sys_content_t)
###########################################################################
# Allow the httpd admin to view log files
##########################################################################
r_dir_file(httpd_admin_t, httpd_log_t)
#############################################################################
# Allow the httpd admin to use chcon to change contexts on web pages,
# and htaccess files.
###########################################################################
allow httpd_admin_t httpd_sys_content_t:dir { relabelto };
allow httpd_admin_t httpd_sys_content_t:file { relabelto };
And that's all, folks!
No hay comentarios:
Publicar un comentario