Individual Domains for Particular PHP Scripts.

Stephen Smalley sds at
Fri Jun 24 14:38:41 UTC 2005

On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote:
> I see. This means that my goal is only possible,
> when use php as cgi modules, or?

Yes, any mechanism that causes it to exec the script in a separate
process.  Looks like there is some information at FWIW.

> Thanks for the clarification! Now, i know my way.
> Maybe can Colin write examples in his update for
> "Understanding and Customizing the Apache HTTP SELinux Policy" ;)

Yes.  It would also likely be an interesting project for someone to try
writing an apache module that uses setcon() to perform a dynamic context
transition for scripts that are directly run by apache, so that they
could at least run with reduced permissions.  exec-based transitions are
certainly preferable, but that may not be an option for everyone.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list