• 1
Can SELinux finally protect user files with apache in multiuser environment?

In typical environment one user can use mod_php, mod_python, mod_whatever functionality to see files (which contain passwords) from other users web pages on the same server. Can selinux protect one user public_html files from another one in such case?

I know only one method - apparmor and different HATs for different vhosts, but this sucks because isn't upstream and has bunch of oponents due to various reasons. I would like to use selinux for that but... I can't.

Sorry, I don't believe so. SELinux is good at breaking security at the exec time but not within the same process. So apps like apache that use multiple threads, which can read one users passwd data cannot be prevented via SELinux. AppArmour as you said does attempt to prevent this via changing the context within threads. SELinux theoretically could do this using the setexec call, but no one has done it yet. If some enterprising masters student was looking for a project to do, this might be a good idea to try. Make apache SELinux aware.

  • 1

Log in