On Mon, Oct 25, 2004 at 09:49:35AM -0400, Colin Walters wrote: > On Mon, 2004-10-25 at 10:20 +0100, Joe Orton wrote: > > On Sun, Oct 24, 2004 at 09:55:53PM -0400, Colin Walters wrote: > > > On Sun, 2004-10-24 at 12:19 +0100, Joe Orton wrote: > > > > > > > Oh, this is still so insane! Do you want two copies of libphp4.so, one > > > > which contains just the "config testing" code too, or what? > > > > > > No, that wouldn't be necessary. Each domain would have the privileges > > > to map libphp4.so and use it. > > > > So why would any PHP code be deemed to be safe to have terminal access, > > but not certain bits of httpd code? > > It doesn't have anything to do with the safety of PHP. Rather, it has > to do with the fact that SELinux does *not* distinguish between > different shared libraries within a single process. Once a process > running as httpd_t loads a shared library, that library is part of the > process and any code in it runs as httpd_t. I'm still trying to understand your suggestion to move the bits of code which do "config testing" into a separate /usr/sbin/httpd-configtest binary, and how that would avoid the issue. I bring up PHP as an example of why this isn't really feasible: the code which involves "config testing" is spread all through the modules, so isn't really separable. joe