Individual Domains for Particular PHP Scripts.

Daniel J Walsh dwalsh at redhat.com
Thu Jun 23 16:27:22 UTC 2005 

TobyD at wolke7.net wrote:

>Hi SELinux users!
>
>I've
>read:
>http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.html#sn-cgi-subdomains
>
>My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6.
>
>My Steps:
>
>#ls -laZ /var/www/html/
>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
>-rw-r--r--  root     root     system_u:object_r:httpd_php_script_a_t a.php
>-rw-r--r--  root     root     system_u:object_r:httpd_php_script_b_t b.php
>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
>index.html
>
>#cat a.php
><?php
>$fp = fopen("b.php","r");
>if ($fp)
>{
>echo "sorry, could access the another domain :-(";
>}
>fclose($fp);
>?>
>
>#cat myphp.te
>#file types httpd_php_script_x_t
>type httpd_php_script_a_t, file_type, sysadmfile;
>type httpd_php_script_b_t, file_type, sysadmfile;
>
>#process domains httpd_php_domain_x_t
>type httpd_php_domain_a_t, domain, privmail;
>type httpd_php_domain_b_t, domain, privmail;
>
>#allow apache acces the new types
>allow httpd_t httpd_php_script_a_t:file { getattr read };
>allow httpd_t httpd_php_script_b_t:file { getattr read };
>
>#authorize system_r for httpd_php_domain_x_t;
>role system_r types httpd_php_domain_a_t;
>role system_r types httpd_php_domain_b_t;
>
>#domain auto transition
>domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t);
>domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t);
>
># make reload
>
>#cat /selinux/enforce
>1
>
>Now, i'll expect an Error, or Acces Denied while Browseraccess
>to http://localhost/a.php, but a.php reports "sorry, could access
>the another domain :-(". Neither avc denied messages, nor any other Errors.
>
>What's wrong in my policy?  Doesn't works the domain auto transition
>properly ? How to separate PHP Scripts in their own domains?
>
>Any Help welcome! Thanks in Advance!
>Toby
>
>
>  
>
A better approach would be to create a te file with the following


more domains/program/myphp.te
#myphp.te
apache_domain(myphp)

And
more file_contexts/program/myphp.fc
/var/www/cgi-bin/myphp          -- 
system_u:object_r:httpd_myphp_script_exec_t

This will create file_types of

type httpd_myphp_content_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_htaccess_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_exec_t, file_type, sysadmfile, customizable;
type httpd_myphp_script_ro_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_script_rw_t, file_type, httpdcontent, sysadmfile, 
customizable;
type httpd_myphp_script_ra_t, file_type, httpdcontent, sysadmfile, 
customizable;

Which you can define in your fc file to files/directories depending on 
what your script wants to do.  You can also add additional allow rules 
to your te file to grant it access.

More information about the selinux mailing list