Using dyntransition to reduce privileges for Web application

Daniel J Walsh dwalsh at redhat.com
Wed Feb 23 16:01:34 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/23/2011 12:44 AM, Scott Gifford wrote:
> On Wed, Feb 23, 2011 at 12:38 AM, Scott Gifford
> <sgifford at suspectclass.com <mailto:sgifford at suspectclass.com>> wrote:
> 
>     On Tue, Feb 22, 2011 at 9:00 AM, Daniel J Walsh <dwalsh at redhat.com
>     <mailto:dwalsh at redhat.com>> wrote:
> 
>         On 02/21/2011 10:19 PM, Scott Gifford wrote:
> 
>     [ ... ] 
> 
>         > Yeah, true, but I'm not sure how to cause them to have no category
>         > either, apart from using setxattr.
>         >
>         I think if you do the file context correctly you can run
>         restorecon -F
>         to fix the label.  If your CGI were in Code or python, you could use
>         setfscreatecon, to set the label automatically.
> 
> 
>     My code is in Perl,
> 
> 
> Also, are these the python bindings you're talking about above?
> 
>     http://sourceforge.net/projects/python-selinux/
> 
> 
> Those functions would be pretty easy for me to port to perl, if this
> would be useful to anybody else.
> 
> -----Scott.
> 
Yes that would be great or just fix up swig in libselinux to generate
perl bindings.  We currently generate python and ruby bindings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1lL14ACgkQrlYvE4MpobN/fACeJkicIuwbC7FRAuYUdLF9eCi4
9fwAn2pyOBjlpNYgvmk7+41qLeyVBmEm
=BedC
-----END PGP SIGNATURE-----


More information about the selinux mailing list