Individual Domains for Particular PHP Scripts.

Stephen Smalley sds at tycho.nsa.gov
Fri Jun 24 14:38:41 UTC 2005


On Fri, 2005-06-24 at 16:24 +0200, Tobias wrote:
> I see. This means that my goal is only possible,
> when use php as cgi modules, or?

Yes, any mechanism that causes it to exec the script in a separate
process.  Looks like there is some information at
http://www.php.net/manual/en/security.cgi-bin.php FWIW.

> Thanks for the clarification! Now, i know my way.
> 
> Maybe can Colin write examples in his update for
> "Understanding and Customizing the Apache HTTP SELinux Policy" ;)

Yes.  It would also likely be an interesting project for someone to try
writing an apache module that uses setcon() to perform a dynamic context
transition for scripts that are directly run by apache, so that they
could at least run with reduced permissions.  exec-based transitions are
certainly preferable, but that may not be an option for everyone.

-- 
Stephen Smalley
National Security Agency




More information about the selinux mailing list