On 03/08/2010 01:42 AM, KaiGai Kohei wrote: >> The current code ends up calling setcon after sockets have been opened, ... >> noticed issues with labeled networking having the setcon() called after >> the listening sockets are opened. > > Hmm. The purpose of selinuxServerDomain allows to drop unnecessary > categories on the starting up time, although mod_selinux.pp set it > to translate into 's0 - mcs_systemhigh'. So, the listener sockets > also should be created in the configured domain. > It seems to me what you pointed out is fair enough. > > However, I cannot agree to change security context of the server > which it parses the configuration file, because we can call setcon() > in the open_logs hook earlier than listener sockets are created using > APR_HOOK_FIRST, not APR_HOOK_MIDDLE. > > Thanks, > Hello, Do you mean instead of mod_selinux hooking post_config, it would now hook open_logs? If so, I think you would have to use something like: (APR_HOOK_REALLY_FIRST-1), because prefork.c hooks open_logs using REALLY_FIRST... Thanks, Josh
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
