* apache virtualhost and selinux
@ 2005-07-15 5:26 Alexander Kabanov
2005-07-15 13:19 ` Joshua Brindle
0 siblings, 1 reply; 2+ messages in thread
From: Alexander Kabanov @ 2005-07-15 5:26 UTC (permalink / raw)
To: selinux
Hi All,
I'm new to SELinux, would like to solve the following
problem (not sure I can do this with SELinux)
so, here is the description:
- httpd (apache, let say it has some modules like mod_perl, mod_php,
mod_jk etc.)
- virtual hosts like
/path/host1
/path/host2
etc.
is there a way to contol access of /path/host1/script1.php to
/path/host2 files using SELinux policies?
suexec (works for CGI scripts only not for similar to mod_php modules)
is know solution, is it possible to implement this with SELinux
policies?
Thanks
-Alex
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: apache virtualhost and selinux
2005-07-15 5:26 apache virtualhost and selinux Alexander Kabanov
@ 2005-07-15 13:19 ` Joshua Brindle
0 siblings, 0 replies; 2+ messages in thread
From: Joshua Brindle @ 2005-07-15 13:19 UTC (permalink / raw)
To: Alexander Kabanov; +Cc: selinux
Alexander Kabanov wrote:
>Hi All,
>
>I'm new to SELinux, would like to solve the following
>problem (not sure I can do this with SELinux)
>
>so, here is the description:
>
>- httpd (apache, let say it has some modules like mod_perl, mod_php,
>mod_jk etc.)
>- virtual hosts like
> /path/host1
> /path/host2
> etc.
>
>is there a way to contol access of /path/host1/script1.php to
>/path/host2 files using SELinux policies?
>
>suexec (works for CGI scripts only not for similar to mod_php modules)
>is know solution, is it possible to implement this with SELinux
>policies?
>
>
It's possible but unfortunatly not yet implemented. A long time ago I
was playing with the idea of patching fastcgi (it's a wrapper around
interpreted languages thats not quite as fast as running them via a
module but much faster than running them as cgi) to get the context of a
script, find out what the transition would be and then execute the
interpreter in that context.
I got distracted and never finished this but it shouldn't be hard, if I
recall correctly fastcgi already does setuid for basically the same
thing. The additional SELinux code could just be put there.
Joshua
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-07-15 13:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-15 5:26 apache virtualhost and selinux Alexander Kabanov
2005-07-15 13:19 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.