Individual Domains for Particular PHP Scripts.

Tobias TobyD at
Thu Jun 23 22:44:39 UTC 2005

Hi Daniel, hi Maillist,

> A better approach would be to create a te file with the following
> more domains/program/myphp.te
> #myphp.te
> apache_domain(myphp)
> And
> more file_contexts/program/myphp.fc
> /var/www/cgi-bin/myphp          -- 
> system_u:object_r:httpd_myphp_script_exec_t

It doesn't work, or we got us wrong.

#cat myphp.te

# ls -laZ /var/www/html/
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_myphp_a_script_exec_t
-rw-r--r--  root     root     system_u:object_r:httpd_myphp_b_script_exec_t

# cat /var/www/html/a.php
echo "hello. i'm a.php and now i'll try to read b.php. ";
$fp = fopen("b.php","r");
if ($fp)
{ echo "oops, i've got the b.php, but it must not happen :-("; }

Script a.php will try to open (read) Script b.php.
My goal is to protect/separate script b.php from script a.php
and a.php from b.php, so when one is buggy, this one couldn't
access the another script (same szenario as above mentioned
but there are .cgi scripts and here .php).
A thought crossed my mind, i'll assign invidual domains
for a.php and b.php and use a domain_auto_trans,
so that requested a.php transit automatically
from httpd_t into his new domain and now occur
access denied while try to read b.php with his new type.

With Daniel's proposal to use macro apache_domain(myphp_X)
it doesn't works. a.php still opens b.php.
Have You any Idea how to tix that ?

Thanks! :)

Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat:

More information about the fedora-selinux-list mailing list