(2010/03/06 6:46), Joshua Roys wrote: > Hello, > > I am wondering if the attached patch creates the actual intended > behavior? Specifically, at which point httpd calls setcon() when the > selinuxServerDomain option is set. > > The current code ends up calling setcon after sockets have been opened, > at least if the prefork mpm is in use. Here's the current path: apache > calls these hooks in this order: pre_config, check_config, open_logs, > post_config. The prefork mpm opens the listening sockets in open_logs, > and mod_selinux does setcon() in post_config. However, I noticed that > the selinuxServerDomain option has the EXEC_ON_READ option set... and I > noticed issues with labeled networking having the setcon() called after > the listening sockets are opened. Hmm. The purpose of selinuxServerDomain allows to drop unnecessary categories on the starting up time, although mod_selinux.pp set it to translate into 's0 - mcs_systemhigh'. So, the listener sockets also should be created in the configured domain. It seems to me what you pointed out is fair enough. However, I cannot agree to change security context of the server which it parses the configuration file, because we can call setcon() in the open_logs hook earlier than listener sockets are created using APR_HOOK_FIRST, not APR_HOOK_MIDDLE. Thanks, > The attached patch deletes (well, in this version just comments out...) > the mod_selinux post_config hook, and calls the routine directly from > the set_server_domain option-processing hook. This, because of the > EXEC_ON_READ option, is executed immediately upon finding a > selinuxServerDomain option in a httpd config file. Thus, setcon() is > called before sockets are opened. > > Josh -- KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
