Hi Daniel, hi Maillist,
> A better approach would be to create a te file with the following
>
>
> more domains/program/myphp.te
> #myphp.te
> apache_domain(myphp)
>
> And
> more file_contexts/program/myphp.fc
> /var/www/cgi-bin/myphp --
> system_u:object_r:httpd_myphp_script_exec_t
>
It doesn't work, or we got us wrong.
#cat myphp.te
apache_domain(myphp_a);
apache_domain(myphp_b);
# ls -laZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_myphp_a_script_exec_t
a.php
-rw-r--r-- root root system_u:object_r:httpd_myphp_b_script_exec_t
b.php
# cat /var/www/html/a.php
<?php
echo "hello. i'm a.php and now i'll try to read b.php. ";
$fp = fopen("b.php","r");
if ($fp)
{ echo "oops, i've got the b.php, but it must not happen :-("; }
fclose($fp);
?>
Script a.php will try to open (read) Script b.php.
My goal is to protect/separate script b.php from script a.php
and a.php from b.php, so when one is buggy, this one couldn't
access the another script (same szenario as above mentioned
on:
http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
but there are .cgi scripts and here .php).
A thought crossed my mind, i'll assign invidual domains
for a.php and b.php and use a domain_auto_trans,
so that requested a.php transit automatically
from httpd_t into his new domain and now occur
access denied while try to read b.php with his new type.
With Daniel's proposal to use macro apache_domain(myphp_X)
it doesn't works. a.php still opens b.php.
Have You any Idea how to tix that ?
Thanks! :)
Toby
--
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
