next up previous contents
Next: 12 Questions? Up: SELinux Policy Editor(SEEdit) Administration Previous: 10 Other notices   Contents

11 Tips

  1. Confining Web applications

    By default, CGI will run as httpd_t domain. httpd_t domain is a domain for Apache Web Server, but domain is inherited to child programs by default. If you want to change domain for CGI, you have to use domain_trans element. You can give CGI programs individual domain. If you place your CGI in /var/www/cgi-bin, and give it cgi_t domain, create cgi_t.sp like below.

    {
    domain cgi_t;
    domain_trans  httpd_t /var/www/cgi-bin/**;
    include common-relaxed.sp;
    ##### allowxxx will be here...
    }
    

    For PHP, you can not change domain from httpd_t. It is because PHP is internally executed not using exec system call. SELinux can not give domain for such case, unless PHP is extended to use SELinux system call.

  2. deny
    You can register important files in black list by deny element. Following is example.
    {
    domain foo_t;
    deny /etc/shadow;
    allow /etc/** r,s;
    }
    
    In above, foo_t is allowed to all files by allow /etc/**, but can not access /etc/shadow. To access /etc/shadow, you have to write allow /etc/shadow explicitly. Some deny elements are written by default in include/common-relaxed.xp



Yuichi Nakamura 2007-02-13