From: "Mario Fanelli" <mario.fanelli@gmail.com>
To: "SeLinux Mailing List" <selinux@tycho.nsa.gov>
Subject: Trouble with setexeccon/setcon
Date: Fri, 12 May 2006 15:40:18 +0200 [thread overview]
Message-ID: <44649047.13bdcb9a.0dcb.4ef4@mx.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1975 bytes --]
> > * Mario Fanelli <mario.fanelli@gmail.com> [2006-05-12 10:10]:
> > > Hello, my name is Mario and I have a trouble with selinux's api. My
> > > goal is to modify the suPhp apache module, but the function setcon
> > > and function setexeccon don't work.
> > >
> > > My apache process runs in dummy_t domain and suPhp file has a
> > > security context "user_u:object_r:dummy_exec_t"; in the policy file I
write:
> > >
> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"
> > >
> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"
> > >
> > > And before calling apr_create_process in mod_suphp, I use
> > > setexeccon("user_u:object_r:dummy_change_context_t") but the
> > > function return
> > ^^^^^^^^
> > > always -1
> >
> > You need user_r instead of object_r. I've never used this api so I
> > can't comment further, but at least you need to change this.
> Yes, and please don't hardcode security contexts in your program. Make
sure that they are configurable so that your code > can adapt to other
policies. Note that you likely just want to configure the type, and let the
rest be inherited from the > caller's context. See newrole (in
> policycoreutils) or runcon (in coreutils) for examples of how to construct
a context by taking an existing context and
> then just mutating a particular field, like the type.
> --
> Stephen Smalley
> National Security Agency
Yes, but runcon and newrole are user-space command.
I have to modify the SuPhp C source code because I want that the process
SuPhp has different security context depending of an environment variable
that mod_suphp set. I try to use setexecon in mod_suphp beforce executing
SuPhp but the security context don't change..setexeccon return -1.so I try
to modify the suPhp exec with a calling to setcon but another setcon don't
work.
If I use runcon all works, but I need to modify the source code.
[-- Attachment #2: Type: text/html, Size: 9619 bytes --]
next reply other threads:[~2006-05-12 13:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-12 13:40 Mario Fanelli [this message]
2006-05-12 14:16 ` Trouble with setexeccon/setcon Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2006-05-13 10:53 Mario Fanelli
2006-05-15 12:19 ` Stephen Smalley
2006-05-12 7:52 Mario Fanelli
2006-05-12 10:11 ` Thomas Bleher
2006-05-12 12:38 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44649047.13bdcb9a.0dcb.4ef4@mx.gmail.com \
--to=mario.fanelli@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.