On Thu, Oct 24, 2002 at 04:43:38PM +0200, Russell Coker wrote:
> I am thinking of addressing this by having some macros file doing define()
> statements for what functionality you want. So you could do the following if
> you want PHP:
> define(`use_http_php')

I don't yet feel comfortable with these defines, so I've left them out for now. However, it definitely is a good idea.

I've also thought about writing a php.te file instead of including PHP stuff in apache.te, which is pretty large as it is. Maybe I'll still do that later, reorganizing apache into apache.te, apache-cgi.te, etc. Advantage: With the Debian install process you could choose right there which options to include.

I have attached two diff files, both against the latest default policy. One is for apache, taking into account your comments and adding a section for running PHP as a CGI, but with its own type. I did this because I believe many people will want to give PHP scripts more access than they would other scripts. It also helps me to seperate out the PHP stuff from the other CGI and suexec parts.

The second diff is a new subversion policy, using a macro as you suggested. It was a lot of work to get it right initially, but I do agree that it's the better way to do it.

Again, if anyone has comments or suggestions, please don't hesitate. I feel more comfortable with writing SELinux policies every day, but I'm still just beginning.

-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/plain attachment: apache.diff



text/plain attachment: svn.diff