On Mon, Nov 22, 2004 at 05:59:10PM -0500, Colin Walters wrote:
On Mon, 2004-11-22 at 17:30 -0500, Yuichi Nakamura wrote:
> I think it should grant fewer permissions.
> Why httpd_t should write all contents in httpd_unified ?
Ah, I see what you're saying now. Right. Dan added that recently for
PHP scripts, I believe.
> So, I feel that allowing httpd_t write permission to all contents is out of scope of
httpd_unified.
I agree now. Conceptually they are separate things. A new boolean like
httpd_content_writable sounds good to me. Sorry about misunderstanding
you originally.
But this is boolean is going to be on by default?
I'm going to add this text to /etc/httpd/conf.d/subversion.conf since it
(currently :) works out-of-the-box: is the terminology "labelled with a
context" correct?
#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn". Each repository
# must be readable and writable by the 'apache' user. Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www.
#