SELinux settings for a program run either by apache or user?
Colin Walters
walters at redhat.com
Thu Jan 20 15:52:17 UTC 2005
On Thu, 2005-01-20 at 19:56 +1100, Nick Urbanik wrote:
> This raises a can of worms when maintaining the program, and the
> question arises as to which is the "real one".
Well...no, since you still have the same source code and build process,
etc. This solution is a lot like what pre-SELinux chroot scripts did
for bind, etc.
> I'm likely to forget
> to update one or the other.
I'd imagine that your Makefile or whatever would install the two copies
explicitly. Or you could do it in the RPM build process.
> "Which one do I enter into version
> control?" is a question I would ask myself often.
You enter binaries into version control?
> Where are SELinux attributes stored? In the inode?
They are tightly coupled to the inode, yes. Just like Unix permissions
are.
> If not, can hard
> links be given different attributes?
No; hard links are just additional names for the same object. SELinux
protects the actual object, not names or references to objects.
> > The other solution is to define a new type, and grant both domains in
> > question access to it. This is a lot more complex; now you have to
> > consider potential information flow between the two domains which were
> > (presumably) separate before.
>
> Well, that may be more managable in the long term. Can you suggest a
> (relatively) simple way of doing that?
You'd have to explain more about your setup. Are you just trying to run
the CGI script as an ordinary user from unconfined_t?
More information about the selinux
mailing list