On Wed, 2005-03-30 at 10:03 -0600, Christofer C. Bell wrote:
That's a very good point and really bears spelling out. How
would one
go about creating the new domain and then implementing the proper
transition for just one set of CGI scripts? I ask because I (was)
running Open WebMail and ran into the case where I needed to
effectively disable SELinux controls over all CGI scripts to allow OWM
to run. I would have preferred the case where these controls were
removed *only* for the relavent scripts, allowing the remaining
scripts to keep the protections afforded by the default policy.
Easiest way to create a domain presently is to copy an existing one and
edit it, using your favorite filter to replace all occurrences of the
old prefix with a new one. By introducing a separate _exec_t type for
the new domain (e.g. httpd_passwd_exec_t) and assigning that type to the
particular CGI script in question (manually with chcon or via restorecon
after updating your file_contexts), you only affect that particular
script.
Possible resources:
The RHEL4 SELinux Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
- Understanding and Customizing the Apache HTTP SELinux Policy,
http://fedora.redhat.com/docs/selinux-apache-fc3/
- Sourceforge SELinux HOWTOs
http://sourceforge.net/docman/?group_id=21266
- SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty,
http://www.oreilly.com/catalog/selinux/
- Tresys Technology Policy Writing Course Slides,
http://www.tresys.com/selinux/selinux-course-outline.html
- Configuring the SELinux Policy,
http://www.nsa.gov/selinux/papers/policy2-abs.cfm
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency