Re: Using dyntransition to reduce privileges for Web application

From: Scott Gifford <sgifford_at_nospam>
Date: Wed Feb 23 2011 - 05:38:30 GMT
To: Daniel J Walsh <dwalsh@redhat.com>

On Tue, Feb 22, 2011 at 9:00 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> On 02/21/2011 10:19 PM, Scott Gifford wrote:
>
[ ... ]

> > Yeah, true, but I'm not sure how to cause them to have no category
> > either, apart from using setxattr.
> >
> I think if you do the file context correctly you can run restorecon -F
> to fix the label. If your CGI were in Code or python, you could use
> setfscreatecon, to set the label automatically.
>

My code is in Perl, so I just printed the NULL-terminated context name to:

/proc/$$/attr/fscreate

It required that I give the process context setfscreate permission, like
this:

allow httpd_ppi_portal_app_t self:process setfscreate;

Now it is working great, thanks!

-----Scott.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

This message: [ Message body ]
Next message: Scott Gifford: "Re: Using dyntransition to reduce privileges for Web application"
Previous message: Andreas Bolatzki: "AW: selinux Digest, Vol 84, Issue 10"
In reply to: Daniel J Walsh: "Re: Using dyntransition to reduce privileges for Web application"
Next in thread: Scott Gifford: "Re: Using dyntransition to reduce privileges for Web application"
Reply: Scott Gifford: "Re: Using dyntransition to reduce privileges for Web application"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]