Bug#680965: mpm-itk: Allow setting Tomoyo domainname (or other MAC implementations?)

To: submit@bugs.debian.org
Subject: Bug#680965: mpm-itk: Allow setting Tomoyo domainname (or other MAC implementations?)
From: karl156 <karl156@abwesend.de>
Date: Mon, 09 Jul 2012 17:13:21 +0200
Message-id: <[🔎] 4FFAF511.50909@abwesend.de>
Reply-to: karl156 <karl156@abwesend.de>, 680965@bugs.debian.org

Package: apache2-mpm-itk
Version: 2.2.22-9
Severity: wishlist

Please provide a way to let mpm-itk set a Tomoyo domainname (Mandatory
Access Control). It should be done by simply writing a string to a file.
I think if the file is configurable, it should work for other MAC
implementations too.

For Tomoyo it should be done by something like this:
echo "<new domainname>" >/sys/kernel/security/tomoyo/self_domain

For more information see:
http://sourceforge.jp/projects/tomoyo/svn/view/branches/mod_tomoyo.c?revision=5673&root=tomoyo

I am not much experienced in AppArmor, but for AppArmor this should work:
echo "changehat <hat name>^<token>" >/proc/self/attr/current

I think this approach (using MAC) should be much safer than suexec,
because suexec is SUID which puts much trust to www-data account.

Reply to:

Prev by Date: Processed: your mail
Next by Date: Bug#680993: libaprutil1-dbd-mysql: AuthDBDUserPWQuery (Module mod_dbd.c) for MySQL doesn't allow SQL statement with a stored procedure
Previous by thread: Processed: your mail
Next by thread: Bug#680993: libaprutil1-dbd-mysql: AuthDBDUserPWQuery (Module mod_dbd.c) for MySQL doesn't allow SQL statement with a stored procedure
Index(es):
- Date
- Thread