Bug#680965: mpm-itk: Allow setting Tomoyo domainname (or other MAC implementations?)
Please provide a way to let mpm-itk set a Tomoyo domainname (Mandatory
Access Control). It should be done by simply writing a string to a file.
I think if the file is configurable, it should work for other MAC
For Tomoyo it should be done by something like this:
echo "<new domainname>" >/sys/kernel/security/tomoyo/self_domain
For more information see:
I am not much experienced in AppArmor, but for AppArmor this should work:
echo "changehat <hat name>^<token>" >/proc/self/attr/current
I think this approach (using MAC) should be much safer than suexec,
because suexec is SUID which puts much trust to www-data account.