From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id k4CDeQAU008042 for ; Fri, 12 May 2006 09:40:26 -0400 Received: from ug-out-1314.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id k4CDeP6C009392 for ; Fri, 12 May 2006 13:40:25 GMT Received: by ug-out-1314.google.com with SMTP id u2so404651uge for ; Fri, 12 May 2006 06:40:25 -0700 (PDT) From: "Mario Fanelli" To: "SeLinux Mailing List" Subject: Trouble with setexeccon/setcon Date: Fri, 12 May 2006 15:40:18 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0011_01C675DA.6058F200" Message-ID: <44649047.13bdcb9a.0dcb.4ef4@mx.gmail.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. ------=_NextPart_000_0011_01C675DA.6058F200 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit > > * Mario Fanelli [2006-05-12 10:10]: > > > Hello, my name is Mario and I have a trouble with selinux's api. My > > > goal is to modify the suPhp apache module, but the function setcon > > > and function setexeccon don't work. > > > > > > My apache process runs in dummy_t domain and suPhp file has a > > > security context "user_u:object_r:dummy_exec_t"; in the policy file I write: > > > > > > "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)" > > > > > > "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)" > > > > > > And before calling apr_create_process in mod_suphp, I use > > > setexeccon("user_u:object_r:dummy_change_context_t") but the > > > function return > > ^^^^^^^^ > > > always -1 > > > > You need user_r instead of object_r. I've never used this api so I > > can't comment further, but at least you need to change this. > Yes, and please don't hardcode security contexts in your program. Make sure that they are configurable so that your code > can adapt to other policies. Note that you likely just want to configure the type, and let the rest be inherited from the > caller's context. See newrole (in > policycoreutils) or runcon (in coreutils) for examples of how to construct a context by taking an existing context and > then just mutating a particular field, like the type. > -- > Stephen Smalley > National Security Agency Yes, but runcon and newrole are user-space command. I have to modify the SuPhp C source code because I want that the process SuPhp has different security context depending of an environment variable that mod_suphp set. I try to use setexecon in mod_suphp beforce executing SuPhp but the security context don't change..setexeccon return -1.so I try to modify the suPhp exec with a calling to setcon but another setcon don't work. If I use runcon all works, but I need to modify the source code. ------=_NextPart_000_0011_01C675DA.6058F200 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

> > = * Mario Fanelli <mario.fanelli@gmail.com> [2006-05-12 = 10:10]:

> > > = Hello, my name is Mario and I have a trouble with selinux's api. My =

> > > goal = is to modify the suPhp apache module, but the function setcon =

> > > and = function setexeccon don't work.

> > > =

> > > My = apache process runs in dummy_t domain and suPhp file has a =

> > > = security context "user_u:object_r:dummy_exec_t"; in the policy file I = write:

> > > =

> > > = "domain_trans(dummy_t,dummy_exec_t,dummy_change_context_t)"

> > > =

> > > "domain_trans(dummy_t,dummy_exec_t,dummy_change1_context_t)"

> > > =

> > > And = before calling apr_create_process in mod_suphp, I = use

> > > setexeccon("user_u:object_r:dummy_change_context_t") but the =

> > > = function return

> >           &nb= sp;          ^^^^^^^^

> > > = always -1

> > =

> > You need = user_r instead of object_r. I've never used this api so I =

> > can't = comment further, but at least you need to change = this.

 

> Yes, and please = don't hardcode security contexts in your program.  Make sure that they are = configurable so that your code > can adapt to other policies.  Note that you = likely just want to configure the type, and let the rest be inherited from the = > caller's context.  See newrole (in

> = policycoreutils) or runcon (in coreutils) for examples of how to construct a context by = taking an existing context and

> then just = mutating a particular field, like the type.

 

> = --

> Stephen = Smalley

> National = Security Agency

 

Yes, but runcon and = newrole are user-space command.

I have to modify the = SuPhp C source code because I want that the process SuPhp has different security context depending of an environment variable that mod_suphp set. I try = to use setexecon in mod_suphp beforce executing SuPhp but the security context don’t change..setexeccon return -1…so I try to modify the = suPhp exec with a calling to setcon but another setcon don’t = work.

If I use runcon all = works, but I need to modify the source = code

 

 

 

------=_NextPart_000_0011_01C675DA.6058F200-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.