hs wrote:
> after that, the domain transition looked like that:
>
> <kernel> //apache /www.my-domain.local /test2
> 0: 0 <kernel>
> ( //apache )
> ( /www.my-domain.local )
> 1: 1 * /test1
>
> as you see, //apache and /www.my-domain.local are still in parentheses which
> means they are still
> unavailable. so i also added the two new domains by hand inside the Domain
> Transition Editor:
>
> <kernel> //apache
> <kernel> //apache /www.my-domain.local
>
> now my Domain Transition Editor looked like this:
>
> <kernel>
> 0: 0 <kernel>
> 1: 0 //apache
> 2: 0 /www.my-domain.local
> 3: 0 * /test1
> 4: 0 * /test2
> [..]
> 18: 0 * /usr/sbin/apache2
> => <kernel> //apache /www.my-domain.local /test1 ( ->
> 3 )
> => <kernel> //apache /www.my-domain.local /test2 ( ->
> 4 )
>
You don't need to create domains in parentheses unless such domains are
actually used. By using "task manual_domain_transition", processes can reach
the specified domain without going through parent domains.
> so - was my approach correct? do i really need to create the apache-related
> domains by hand? if yes
> - what could be wrong here?
You need to manually specify "task manual_domain_transition" lines. You don't
need to manually create domains specified by "task manual_domain_transition"
lines.
To debug your problem, please manually remove
<kernel> //apache
<kernel> //apache /www.my-domain.local
<kernel> //apache /www.my-domain.local /test1
<kernel> //apache /www.my-domain.local /test2
domains before continue, for
<kernel> //apache /www.my-domain.local /test1
<kernel> //apache /www.my-domain.local /test2
will be created by mod_ccs and
<kernel> //apache
<kernel> //apache /www.my-domain.local
are not required for reaching
<kernel> //apache /www.my-domain.local /test1
<kernel> //apache /www.my-domain.local /test2
. By letting mod_ccs create domains as needed, you can check whether mod_ccs
has found a matching line or not.
> this is the mapping-file /etc/ccs/httpd-tomoyo00.conf
>
> /data/homewww/test1/webdir/\* <kernel> //apache /www.my-domain.local /test1
> /data/homewww/test2/webdir/\* <kernel> //apache /www.my-domain.local /test2
I guess that CCS_TransitionMap is not used when accessing www.my-domain.local
by some reason. Common mistake is that CCS_TransitionMap line is not defined at
appropriate section. In order to avoid mistakenly bypass domain transition, all
requests are denied unless explicitly defined by files specified by
CCS_TransitionMap line.
Please try below patch.
Index: mod_ccs.c
===================================================================
--- mod_ccs.c (revision 5672)
+++ mod_ccs.c (working copy)
@@ -747,7 +747,8 @@
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, EPERM, r, "mod_ccs: "
"Unable to set security context. "
- "No matching entry for %s", name);
+ "No matching entry for %s (%u entries for %s)", name,
+ ptr->len, r->hostname);
free((void *) name);
return 0;
}
Can you find "(2 entries for www.my-domain.local)" in the error log?
If you found a line "(2 entries for www.my-domain.local)" line, it will be a
problem of content of /etc/ccs/httpd-tomoyo00.conf . (Maybe a pattern matching
bug of mod_ccs module.)
If you found a line like "(0 entries for www.my-domain.local)", there are no
valid lines in /etc/ccs/httpd-tomoyo00.conf . (Maybe a parsing bug of mod_ccs
module.)
If you found a line with unexpected hostname like "(0 entries for localhost)",
it will be a problem of location of CCS_TransitionMap line.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
