SELinux settings for a program run either by apache or user?

Colin Walters walters at redhat.com
Thu Jan 20 15:52:17 UTC 2005


On Thu, 2005-01-20 at 19:56 +1100, Nick Urbanik wrote:

> This raises a can of worms when maintaining the program, and the
> question arises as to which is the "real one". 

Well...no, since you still have the same source code and build process,
etc.  This solution is a lot like what pre-SELinux chroot scripts did
for bind, etc.

>  I'm likely to forget
> to update one or the other.  

I'd imagine that your Makefile or whatever would install the two copies
explicitly.  Or you could do it in the RPM build process.

> "Which one do I enter into version
> control?" is a question I would ask myself often.

You enter binaries into version control?

> Where are SELinux attributes stored?  In the inode?  

They are tightly coupled to the inode, yes.  Just like Unix permissions
are.

> If not, can hard
> links be given different attributes?

No; hard links are just additional names for the same object.  SELinux
protects the actual object, not names or references to objects.

> > The other solution is to define a new type, and grant both domains in
> > question access to it.  This is a lot more complex; now you have to
> > consider potential information flow between the two domains which were
> > (presumably) separate before.
> 
> Well, that may be more managable in the long term.  Can you suggest a
> (relatively) simple way of doing that?

You'd have to explain more about your setup.  Are you just trying to run
the CGI script as an ordinary user from unconfined_t?





More information about the fedora-selinux-list mailing list