Individual Domains for Particular PHP Scripts.

Thu Jun 23 16:27:22 UTC 2005

TobyD at wolke7.net wrote:

>Hi SELinux users!
>
>I've
>read:
>http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
>
>My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6.
>
>My Steps:
>
>#ls -laZ /var/www/html/
>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
>-rw-r--r--  root     root     system_u:object_r:httpd_php_script_a_t a.php
>-rw-r--r--  root     root     system_u:object_r:httpd_php_script_b_t b.php
>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
>index.html
>
>#cat a.php
><?php
>$fp = fopen("b.php","r");
>if ($fp)
>{
>echo "sorry, could access the another domain :-(";
>}
>fclose($fp);
>?>
>
>#cat myphp.te
>#file types httpd_php_script_x_t
>type httpd_php_script_a_t, file_type, sysadmfile;
>type httpd_php_script_b_t, file_type, sysadmfile;
>
>#process domains httpd_php_domain_x_t
>type httpd_php_domain_a_t, domain, privmail;
>type httpd_php_domain_b_t, domain, privmail;
>
>#allow apache acces the new types
>allow httpd_t httpd_php_script_a_t:file { getattr read };
>allow httpd_t httpd_php_script_b_t:file { getattr read };
>
>#authorize system_r for httpd_php_domain_x_t;
>role system_r types httpd_php_domain_a_t;
>role system_r types httpd_php_domain_b_t;
>
>#domain auto transition
>domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t);
>domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t);
>
># make reload
>
>#cat /selinux/enforce
>1
>
>Now, i'll expect an Error, or Acces Denied while Browseraccess
>to http://localhost/a.php, but a.php reports "sorry, could access
>the another domain :-(". Neither avc denied messages, nor any other Errors.
>
>What's wrong in my policy?  Doesn't works the domain auto transition
>properly ? How to separate PHP Scripts in their own domains?
>
>Any Help welcome! Thanks in Advance!
>Toby
>
>
>  
>
A better approach would be to create a te file with the following

more domains/program/myphp.te
#myphp.te
apache_domain(myphp)

And
more file_contexts/program/myphp.fc
/var/www/cgi-bin/myphp          -- 
system_u:object_r:httpd_myphp_script_exec_t

This will create file_types of

type httpd_myphp_content_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_htaccess_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_exec_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_ro_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_script_rw_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_script_ra_t, file_type, httpdcontent, sysadmfile, 
customizable;

Which you can define in your fc file to files/directories depending on 
what your script wants to do.  You can also add additional allow rules 
to your te file to grant it access.