Individual Domains for Particular PHP Scripts.
TobyD at wolke7.net
TobyD at wolke7.net
Thu Jun 23 10:50:40 UTC 2005
Hi SELinux users!
I've
read:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6.
My Steps:
#ls -laZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_php_script_a_t a.php
-rw-r--r-- root root system_u:object_r:httpd_php_script_b_t b.php
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
index.html
#cat a.php
<?php
$fp = fopen("b.php","r");
if ($fp)
{
echo "sorry, could access the another domain :-(";
}
fclose($fp);
?>
#cat myphp.te
#file types httpd_php_script_x_t
type httpd_php_script_a_t, file_type, sysadmfile;
type httpd_php_script_b_t, file_type, sysadmfile;
#process domains httpd_php_domain_x_t
type httpd_php_domain_a_t, domain, privmail;
type httpd_php_domain_b_t, domain, privmail;
#allow apache acces the new types
allow httpd_t httpd_php_script_a_t:file { getattr read };
allow httpd_t httpd_php_script_b_t:file { getattr read };
#authorize system_r for httpd_php_domain_x_t;
role system_r types httpd_php_domain_a_t;
role system_r types httpd_php_domain_b_t;
#domain auto transition
domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t);
domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t);
# make reload
#cat /selinux/enforce
1
Now, i'll expect an Error, or Acces Denied while Browseraccess
to http://localhost/a.php, but a.php reports "sorry, could access
the another domain :-(". Neither avc denied messages, nor any other Errors.
What's wrong in my policy? Doesn't works the domain auto transition
properly ? How to separate PHP Scripts in their own domains?
Any Help welcome! Thanks in Advance!
Toby
--
--
TobyD
Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis
++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++
More information about the fedora-selinux-list
mailing list