SELinux settings for a program run either by apache or user?

Daniel J Walsh dwalsh at redhat.com
Thu Jan 20 20:50:20 UTC 2005 

Colin Walters wrote:

>On Thu, 2005-01-20 at 19:56 +1100, Nick Urbanik wrote:
>
>  
>
>>This raises a can of worms when maintaining the program, and the
>>question arises as to which is the "real one". 
>>    
>>
>
>Well...no, since you still have the same source code and build process,
>etc.  This solution is a lot like what pre-SELinux chroot scripts did
>for bind, etc.
>
>  
>
>> I'm likely to forget
>>to update one or the other.  
>>    
>>
>
>I'd imagine that your Makefile or whatever would install the two copies
>explicitly.  Or you could do it in the RPM build process.
>
>  
>
>>"Which one do I enter into version
>>control?" is a question I would ask myself often.
>>    
>>
>
>You enter binaries into version control?
>
>  
>
>>Where are SELinux attributes stored?  In the inode?  
>>    
>>
>
>They are tightly coupled to the inode, yes.  Just like Unix permissions
>are.
>
>  
>
>>If not, can hard
>>links be given different attributes?
>>    
>>
>
>No; hard links are just additional names for the same object.  SELinux
>protects the actual object, not names or references to objects.
>
>  
>
>>>The other solution is to define a new type, and grant both domains in
>>>question access to it.  This is a lot more complex; now you have to
>>>consider potential information flow between the two domains which were
>>>(presumably) separate before.
>>>      
>>>
>>Well, that may be more managable in the long term.  Can you suggest a
>>(relatively) simple way of doing that?
>>    
>>
>
>You'd have to explain more about your setup.  Are you just trying to run
>the CGI script as an ordinary user from unconfined_t?
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
After thinking about it, I think preserving file context would be the 
problem.  So a different solution, might
be to take advantage of the http_tty_comm boolean and turn on access to 
it from httpd_$$$_script_t so  if an
admin or an unconfined_t process ran the script it would be able to 
output to the terminal.

Dan

More information about the fedora-selinux-list mailing list