Individual Domains for Particular PHP Scripts.
Stephen Smalley
sds at tycho.nsa.gov
Fri Jun 24 14:38:41 UTC 2005
On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote:
> I see. This means that my goal is only possible,
> when use php as cgi modules, or?
Yes, any mechanism that causes it to exec the script in a separate
process. Looks like there is some information at
http://www.php.net/manual/en/security.cgi-bin.php FWIW.
> Thanks for the clarification! Now, i know my way.
>
> Maybe can Colin write examples in his update for
> "Understanding and Customizing the Apache HTTP SELinux Policy" ;)
Yes. It would also likely be an interesting project for someone to try
writing an apache module that uses setcon() to perform a dynamic context
transition for scripts that are directly run by apache, so that they
could at least run with reduced permissions. exec-based transitions are
certainly preferable, but that may not be an option for everyone.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list