Re: Individual Domains for Particular PHP Scripts.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

TobyD@xxxxxxxxxx wrote:


Hi SELinux users!

I've
read:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains

My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6.

My Steps:

#ls -laZ /var/www/html/
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_php_script_a_t a.php
-rw-r--r--  root     root     system_u:object_r:httpd_php_script_b_t b.php
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
index.html

#cat a.php
<?php
$fp = fopen("b.php","r");
if ($fp)
{
echo "sorry, could access the another domain :-(";
}
fclose($fp);
?>

#cat myphp.te
#file types httpd_php_script_x_t
type httpd_php_script_a_t, file_type, sysadmfile;
type httpd_php_script_b_t, file_type, sysadmfile;

#process domains httpd_php_domain_x_t
type httpd_php_domain_a_t, domain, privmail;
type httpd_php_domain_b_t, domain, privmail;

#allow apache acces the new types
allow httpd_t httpd_php_script_a_t:file { getattr read };
allow httpd_t httpd_php_script_b_t:file { getattr read };

#authorize system_r for httpd_php_domain_x_t;
role system_r types httpd_php_domain_a_t;
role system_r types httpd_php_domain_b_t;

#domain auto transition
domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t);
domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t);

# make reload

#cat /selinux/enforce
1

Now, i'll expect an Error, or Acces Denied while Browseraccess
to http://localhost/a.php, but a.php reports "sorry, could access
the another domain :-(". Neither avc denied messages, nor any other Errors.

What's wrong in my policy?  Doesn't works the domain auto transition
properly ? How to separate PHP Scripts in their own domains?

Any Help welcome! Thanks in Advance!
Toby



A better approach would be to create a te file with the following


more domains/program/myphp.te
#myphp.te
apache_domain(myphp)

And
more file_contexts/program/myphp.fc
/var/www/cgi-bin/myphp -- system_u:object_r:httpd_myphp_script_exec_t 

This will create file_types of
type httpd_myphp_content_t, file_type, httpdcontent, sysadmfile, customizable; 
type httpd_myphp_htaccess_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_exec_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; type httpd_myphp_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; type httpd_myphp_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
Which you can define in your fc file to files/directories depending on what your script wants to do. You can also add additional allow rules to your te file to grant it access. 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux