Hi Colin, hi ML, >http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains > > Need to update that for FC4...soon, hopefully :) :) > > > What's wrong in my policy? Doesn't works the domain auto transition > > properly ? How to separate PHP Scripts in their own domains? > > Are these PHP scripts actually being executed as separate processes? > > SELinux policy is applied at the level of processes; there is no builtin > mechanism for confining different PHP scripts that run in the same httpd > process. It would be possible to achieve some level of security by > using dynamic domain transitions e.g. with an Apache module, but no one > has written it yet. I've a bit experience with domain_auto_trans related by executable binaries (flow: user_t->execute binary->newtype_t->other_rights_than_user_t) and i hoped apache and php-scripts are similar (flow: httpd_t->execute script->httpd_new_t->other_rights_than_httpd_t). See my previous email (reply to Daniel Walsh), please. TIA :) Toby -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list