Nick Kew wrote: > > On 8 Apr 2009, at 03:27, Graham Dumpleton wrote: > > [following up to Graham because two posts by him are all I have > in this thread] > >> 2009/4/8 KaiGai Kohei <[email protected]>: >>> Graham Dumpleton wrote: >>>> Explain first why using FASTCGI and suexec wouldn't be a better option? >>> >>> Thease are limited to cgi applications, so we cannot apply such kind >>> of restriction on the built-in script languages and references on >>> static documents (like *.html). > > So why would a selinux context want to limit itself to the handler phase? > Why not set the security context first thing in the request processing > cycle, > as with mod_privileges?
It sets its individual privileges a bit earlier phase for my purpose. I would like to associate a security context of SELinux and web-users of applications. The identification and authentication are done in ap_process_request_internal(), so we need to set a security context between ap_process_request_internal() and ap_invoke_handler(). (In other word, we cannot identify what security context should be assigned on the request.) Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <[email protected]>
