(2010/03/09 6:22), Joshua Roys wrote: > On 03/08/2010 01:42 AM, KaiGai Kohei wrote: >>> The current code ends up calling setcon after sockets have been opened, > ... >>> noticed issues with labeled networking having the setcon() called after >>> the listening sockets are opened. >> >> Hmm. The purpose of selinuxServerDomain allows to drop unnecessary >> categories on the starting up time, although mod_selinux.pp set it >> to translate into 's0 - mcs_systemhigh'. So, the listener sockets >> also should be created in the configured domain. >> It seems to me what you pointed out is fair enough. >> >> However, I cannot agree to change security context of the server >> which it parses the configuration file, because we can call setcon() >> in the open_logs hook earlier than listener sockets are created using >> APR_HOOK_FIRST, not APR_HOOK_MIDDLE. >> >> Thanks, >> > > Hello, > > Do you mean instead of mod_selinux hooking post_config, it would now > hook open_logs? If so, I think you would have to use something like: > (APR_HOOK_REALLY_FIRST-1), because prefork.c hooks open_logs using > REALLY_FIRST... Yes, not only prefork, all the supported MPM engine does it in this manner. As long as we are in apache/httpd-2.2.x series, this hack will be needed. In the upcoming apache/httpd-2.4.x series, it allows to implement MPM engine with actually loadable module, so we will be able to avoid this kind of hacks with multi processing behavior suitable for selinux... Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
