On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote: > I see. This means that my goal is only possible, > when use php as cgi modules, or? Yes, any mechanism that causes it to exec the script in a separate process. Looks like there is some information at http://www.php.net/manual/en/security.cgi-bin.php FWIW. > Thanks for the clarification! Now, i know my way. > > Maybe can Colin write examples in his update for > "Understanding and Customizing the Apache HTTP SELinux Policy" ;) Yes. It would also likely be an interesting project for someone to try writing an apache module that uses setcon() to perform a dynamic context transition for scripts that are directly run by apache, so that they could at least run with reduced permissions. exec-based transitions are certainly preferable, but that may not be an option for everyone. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
