Individual Domains for Particular PHP Scripts.
Tobias
maillist at wolke7.net
Fri Jun 24 01:05:35 UTC 2005
Hi Colin, hi
ML,
>http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
>
> Need to update that for FC4...soon, hopefully :)
:)
>
> > What's wrong in my policy? Doesn't works the domain auto transition
> > properly ? How to separate PHP Scripts in their own domains?
>
> Are these PHP scripts actually being executed as separate processes?
>
> SELinux policy is applied at the level of processes; there is no builtin
> mechanism for confining different PHP scripts that run in the same httpd
> process. It would be possible to achieve some level of security by
> using dynamic domain transitions e.g. with an Apache module, but no one
> has written it yet.
I've a bit experience with domain_auto_trans related by executable binaries
(flow: user_t->execute binary->newtype_t->other_rights_than_user_t)
and i hoped apache and php-scripts are similar
(flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t).
See my previous email (reply to Daniel Walsh), please.
TIA :)
Toby
--
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
More information about the fedora-selinux-list
mailing list