Individual Domains for Particular PHP Scripts.

Stephen Smalley sds at
Fri Jun 24 12:16:14 UTC 2005

On Fri, 2005-06-24 at 03:05 +0200, Tobias wrote:
> I've a bit experience with domain_auto_trans related by executable binaries 
> (flow: user_t->execute binary->newtype_t->other_rights_than_user_t)
> and i hoped apache and php-scripts are similar 
> (flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t).
> See my previous email (reply to Daniel Walsh), please.

Depends on whether apache forks and execs the interpreter in a separate
process, or just directly executes an interpreter in its own process
(via mod_php).  My impression was that php is typically run in-process
by apache, thus you couldn't change domains for it without introducing
some kind of mod_dyntras module that performs a dynamic domain
transition in the apache process.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list