Re: Is SELinux appropriate for my use?

[Tetsuji Maverick Rai <tetsuji.maverick.rai@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks@vt.edu wrote:
> On Fri, 19 May 2006 05:05:17 +0900, Tetsuji Maverick Rai said:
> 
>> What if apache's permission is set so that it isn't allowed to execute
>> most commands?    But actually most commands (i.e. even cat, ls) can be
>> dangerous, because it will display files containing mysql password.   So
>> does SELinux exist to prevent attackers from executing these "usual"
>> programs with http server's permissions(role)?   If so, I can understand
>> a bit....actually I understand this is secure.
> 
> Remember - the design of SELinux is that *nothing* is permitted, unless
> there's something in the policy that specifically says it's allowed.
> So Apache can't even run /bin/cat unless there is a rule that says something
> in httpd_t context (apache) is allowed to run bin_t binaries (bin_t includes
> most common binaries).  However, /bin/ls *isn't* a bin_t, there's a separate
> ls_exec_t for it, so things like ftpd can be restricted to be able to
> run /bin/ls, but not other things in /bin.
> 

Thank you for clarifying that.  I understand it's very secure in
invoking other commands from PHP.  Then how about this situation?   PHP
itself has several functions manipulate files and mysql databases (of
course there are much more, but I use mainly mysql).  I guess *if* PHP
is hacked, arbitrary mysql functions (and others) are executed freely,
and my mydql database can be damaged.  Is it right?

- -Tetsuji
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEbgG61ZfmZ4IzXNkRArJtAJ0QmZpWAAIVEquf6yHJh8YYLYdZ4QCdHWMn
nhej+ZdMkjKDXsj+mxiiIlk=
=niUJ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.