Re: writing rules to disallow a domain to read particular files

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Sun, Oct 17, 2004 at 08:01:28PM +0530, Jaspreet Singh wrote:
> Hi,
> 
> 
> >  okay, one way to achieve that is to use the
> >  macro apache_domain(virtual_$1) say by adding it to
> >  macros/base_macros.te at the same point where apache_domain($1)
> >  is used.
> > 
> 
> Could you elaborate on this more ... I am not able to understand 
 
 you need to read my previous email in which i describe a walk-through
 of going over the apache macros.


> >  plus adding 
> > 
> > > and now based on the access writes of users of a particular site I want
> > > them to access services like apache. so that apache cant access
> > > /home/virtual/siteNum/home/users/public_html/files.html
> >  
> >   uh?  _can't_ access ..../files.html??  why?
> > 
> 
> Let me give you the idea of virtualization ... 

 good idea :)

> i guess i made a mistake
> last time ..

 no, just missing information.

 but let's clarify: cant is not an english word: above, do
 you mean "can" or do you mean "can not"?


> sites and have any numbers of users, and the users can only see the site
> file system (chroot env). 

 okay, so first you should look at file_contexts/program/apache.fc
 and change the second line

	HOME_DIR/((www)|(web)|(public_html))(/.+)?
	system_u:object_r:httpd_ROLE_content_t

 to:
 
 	/home/virtual/siteNum/HOME_DIR/((www)|....

 and see what happens.

 you _may_ have to look at genhomedircon to ensure that it can
 substitute HOME_DIR when it is used like i suggest.



> Now the site avails certain services like
> apache , sshd , telnet and things like that ...
> 
> based upon what they have availed .. they are given services. So only
> when the site avails for say .. apache service i want to allow the
> apache to read the user files. I know this can be  don't through

 surely you mean done not don't (don't is short for "do not")

> httpd.conf .. but apache is just one example .. i want a generic MAC
> based solutions.
> 
> One way to do this in DAC is ... all the files in site file system like
> /home/virtual/siteNum/etc/http.conf and all is owned by the the group -
> "apache" and users users are added to this group when the site avails
> for apache service.
 
 so not only do you want the user to be able to access the site files
 but also you want the user to be able to manage the ADMINISTRATIVE
 file httpd.conf (for their Virtual site) is that right?

 [doesn't sound right but i'm just checking].

 

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.