SELinux settings for a program run either by apache or user?
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 20 15:47:21 UTC 2005
Nick Urbanik wrote:
>Dear Folks,
>
>On Wed, Jan 19, 2005 at 11:07:59PM -0500, Colin Walters wrote:
>
>
>>On Thu, 2005-01-20 at 14:47 +1100, Nick Urbanik wrote:
>>
>>
>>>Dear Folks,
>>>
>>>I have written a program that I use both run by Apache and by normal
>>>users as a command line application.
>>>
>>>When I changed the attribute of the program file to
>>>httpd_sys_script_exec_t, It no longer had permission to write to the
>>>console. What is the simplest way to handle this properly in SELinux?
>>>
>>>
>>The simplest solution is to simply make two copies of the program file
>>(by using e.g. cp), accessible by different names, with different
>>labels. So you'd have e.g. "/usr/bin/program.cgi" labeled as
>>httpd_sys_script_exec_t, and just "/usr/bin/program" labeled as
>>bin_t.
>>
>>
>
>This raises a can of worms when maintaining the program, and the
>question arises as to which is the "real one". I'm likely to forget
>to update one or the other. "Which one do I enter into version
>control?" is a question I would ask myself often.
>
>Where are SELinux attributes stored? In the inode? If not, can hard
>links be given different attributes?
>
>
>
>>The other solution is to define a new type, and grant both domains in
>>question access to it. This is a lot more complex; now you have to
>>consider potential information flow between the two domains which were
>>(presumably) separate before.
>>
>>
>
>Well, that may be more managable in the long term. Can you suggest a
>(relatively) simple way of doing that?
>
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
This sounds like a bug. A user executing a httpd script should not be
changing context to httpd_sys_script_t, correct?
More information about the fedora-selinux-list
mailing list