On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote:
I see. This means that my goal is only possible,
when use php as cgi modules, or?
Yes, any mechanism that causes it to exec the script in a separate
process. Looks like there is some information at
http://www.php.net/manual/en/security.cgi-bin.php FWIW.
Thanks for the clarification! Now, i know my way.
Maybe can Colin write examples in his update for
"Understanding and Customizing the Apache HTTP SELinux Policy" ;)
Yes. It would also likely be an interesting project for someone to try
writing an apache module that uses setcon() to perform a dynamic context
transition for scripts that are directly run by apache, so that they
could at least run with reduced permissions. exec-based transitions are
certainly preferable, but that may not be an option for everyone.
--
Stephen Smalley
National Security Agency