hello all,
first of all, i really want to thank Tetsuo for his great work. so far, tomoyo
(i use the
akari-module at ubuntu 10.04 LTS 64Bit) is a great working and easily usable
piece of software!
currently i'm trying to get the mod_ccs module for apache working. i want to
secure fcgid-processes
against each other. for this i already use mod_fcgid in combination with suexec
und mod_userdir. so,
every fcgid-process already runs as a separate user.
now i wanted to add mod_css to further improve security, but i end up with
server error 500.
for apache, i use the following configuration:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
CCS_TransitionMap /etc/ccs/httpd-tomoyo00.conf
ServerName www.my-domain.local
[..]
</VirtualHost>
this is the mapping-file /etc/ccs/httpd-tomoyo00.conf
/data/homewww/test1/webdir/\* <kernel> //apache /www.my-domain.local /test1
/data/homewww/test2/webdir/\* <kernel> //apache /www.my-domain.local /test2
after that i added two manual domain transitions to <kernel> /usr/sbin/apache2
inside the Domain
Policy Editor:
0: task manual_domain_transition <kernel> //apache /www.my-domain.local /test1
1: task manual_domain_transition <kernel> //apache www.my-domain.local /test2
i then added by hand the new domain "<kernel> //apache /www.my-domain.local
/test1" and "<kernel>
//apache /www.my-domain.local /test2" to the Domain Transition Editor, because
before these domains
were not found and they also have not automatically been created when accessing
the website at
http:///www.my-domain.local/~test1
after that, the domain transition looked like that:
<kernel> //apache /www.my-domain.local /test2
0: 0 <kernel>
( //apache )
( /www.my-domain.local )
1: 1 * /test1
as you see, //apache and /www.my-domain.local are still in parentheses which
means they are still
unavailable. so i also added the two new domains by hand inside the Domain
Transition Editor:
<kernel> //apache
<kernel> //apache /www.my-domain.local
now my Domain Transition Editor looked like this:
<kernel>
0: 0 <kernel>
1: 0 //apache
2: 0 /www.my-domain.local
3: 0 * /test1
4: 0 * /test2
[..]
18: 0 * /usr/sbin/apache2
=> <kernel> //apache /www.my-domain.local /test1 ( -> 3 )
=> <kernel> //apache /www.my-domain.local /test2 ( -> 4 )
that looks good to me. nevertheless, when i try to access for the url
http://www.mydomain.local/~test1 , i get still server error 500:
Operation not permitted: mod_ccs: Unable to set security context. No
matching entry for
/data/homewww/test1/webdir/index.html
so - was my approach correct? do i really need to create the apache-related
domains by hand? if yes
- what could be wrong here?
regards, hs
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
