> > * Mario
Fanelli <mario.fanelli@gmail.com> [2006-05-12 10:10]:
> > > Hello, my name
is Mario and I have a trouble with selinux's api. My
> > > goal is to
modify the suPhp apache module, but the function setcon
> > > and function
setexeccon don't work.
> > >
> > > My apache
process runs in dummy_t domain and suPhp file has a
> > > security
context "user_u:object_r:dummy_exec_t"; in the policy file I write:
> > >
> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"
> > >
> > >
"domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"
> > >
> > > And before
calling apr_create_process in mod_suphp, I use
> > >
setexeccon("user_u:object_r:dummy_change_context_t") but the
> > > function
return
>
>
^^^^^^^^
> > > always -1
> >
> > You need user_r
instead of object_r. I've never used this api so I
> > can't comment
further, but at least you need to change this.
> Yes, and please don't hardcode
security contexts in your program. Make sure that they are configurable
so that your code > can adapt to other policies. Note that you likely
just want to configure the type, and let the rest be inherited from the >
caller's context. See newrole (in
> policycoreutils) or
runcon (in coreutils) for examples of how to construct a context by taking an
existing context and
> then just mutating a
particular field, like the type.
> --
> Stephen Smalley
> National Security Agency
Yes, but runcon and newrole
are user-space command.
I have to modify the SuPhp C
source code because I want that the process SuPhp has different security
context depending of an environment variable that mod_suphp set. I try to use
setexecon in mod_suphp beforce executing SuPhp but the security context
don’t change..setexeccon return -1…so I try to modify the suPhp
exec with a calling to setcon but another setcon don’t work.
If I use runcon all works,
but I need to modify the source code…