SELinux settings for a program run either by apache or user?

[Daniel J Walsh]

Nick Urbanik wrote:

>Dear Folks,
>
>On Wed, Jan 19, 2005 at 11:07:59PM -0500, Colin Walters wrote:
>  
>
>>On Thu, 2005-01-20 at 14:47 +1100, Nick Urbanik wrote:
>>    
>>
>>>Dear Folks,
>>>
>>>I have written a program that I use both run by Apache and by normal
>>>users as a command line application.
>>>
>>>When I changed the attribute of the program file to
>>>httpd_sys_script_exec_t, It no longer had permission to write to the
>>>console.  What is the simplest way to handle this properly in SELinux?
>>>      
>>>
>>The simplest solution is to simply make two copies of the program file
>>(by using e.g. cp), accessible by different names, with different
>>labels.  So you'd have e.g. "/usr/bin/program.cgi" labeled as
>>httpd_sys_script_exec_t, and just "/usr/bin/program" labeled as
>>bin_t.
>>    
>>
>
>This raises a can of worms when maintaining the program, and the
>question arises as to which is the "real one".  I'm likely to forget
>to update one or the other.  "Which one do I enter into version
>control?" is a question I would ask myself often.
>
>Where are SELinux attributes stored?  In the inode?  If not, can hard
>links be given different attributes?
>
>  
>
>>The other solution is to define a new type, and grant both domains in
>>question access to it.  This is a lot more complex; now you have to
>>consider potential information flow between the two domains which were
>>(presumably) separate before.
>>    
>>
>
>Well, that may be more managable in the long term.  Can you suggest a
>(relatively) simple way of doing that?
>  
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
This sounds like a bug.  A user executing a httpd script should not be 
changing context to httpd_sys_script_t, correct?