Individual Domains for Particular PHP Scripts.

[Tobias]

Hi Daniel, hi Maillist,

> A better approach would be to create a te file with the following
> 
> 
> more domains/program/myphp.te
> #myphp.te
> apache_domain(myphp)
> 
> And
> more file_contexts/program/myphp.fc
> /var/www/cgi-bin/myphp          -- 
> system_u:object_r:httpd_myphp_script_exec_t
> 

It doesn't work, or we got us wrong.

#cat myphp.te
apache_domain(myphp_a);
apache_domain(myphp_b);

# ls -laZ /var/www/html/
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_myphp_a_script_exec_t
a.php
-rw-r--r--  root     root     system_u:object_r:httpd_myphp_b_script_exec_t
b.php

# cat /var/www/html/a.php
<?php
echo "hello. i'm a.php and now i'll try to read b.php. ";
$fp = fopen("b.php","r");
if ($fp)
{ echo "oops, i've got the b.php, but it must not happen :-("; }
fclose($fp);
?>

Script a.php will try to open (read) Script b.php.
My goal is to protect/separate script b.php from script a.php
and a.php from b.php, so when one is buggy, this one couldn't
access the another script (same szenario as above mentioned
on:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
but there are .cgi scripts and here .php).
A thought crossed my mind, i'll assign invidual domains
for a.php and b.php and use a domain_auto_trans,
so that requested a.php transit automatically
from httpd_t into his new domain and now occur
access denied while try to read b.php with his new type.

With Daniel's proposal to use macro apache_domain(myphp_X)
it doesn't works. a.php still opens b.php.
Have You any Idea how to tix that ?

Thanks! :)
Toby


-- 
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl