[tomoyo-users-en 424] problems with mod_css

Back to archive index
hs web****@rz*****
Tue Nov 29 00:45:45 JST 2011


hello all,

first of all, i really want to thank Tetsuo for his great work. so far, tomoyo (i use the 
akari-module at ubuntu 10.04 LTS 64Bit) is a great working and easily usable piece of software!

currently i'm trying to get the mod_ccs module for apache working. i want to secure fcgid-processes 
against each other. for this i already use mod_fcgid in combination with suexec und mod_userdir. so, 
every fcgid-process already runs as a separate user.

now i wanted to add mod_css to further improve security, but i end up with server error 500.

for apache, i use the following configuration:

<VirtualHost *:80>
         ServerAdmin webmaster at localhost
         CCS_TransitionMap /etc/ccs/httpd-tomoyo00.conf
	ServerName www.my-domain.local
         [..]
</VirtualHost>


this is the mapping-file /etc/ccs/httpd-tomoyo00.conf

/data/homewww/test1/webdir/\*    <kernel> //apache /www.my-domain.local /test1
/data/homewww/test2/webdir/\*    <kernel> //apache /www.my-domain.local /test2


after that i added two manual domain transitions to <kernel> /usr/sbin/apache2 inside the Domain 
Policy Editor:

0: task manual_domain_transition <kernel> //apache /www.my-domain.local /test1
1: task manual_domain_transition <kernel> //apache www.my-domain.local /test2

i then added by hand the new domain "<kernel> //apache /www.my-domain.local /test1"  and "<kernel> 
//apache /www.my-domain.local /test2" to the Domain Transition Editor, because before these domains 
were not found and they also have not automatically been created when accessing the website at 
http:///www.my-domain.local/~test1

after that, the domain transition looked like that:

<kernel> //apache /www.my-domain.local /test2
     0:  0     <kernel>
                   ( //apache )
                       ( /www.my-domain.local )
     1:  1  *              /test1

as you see, //apache and  /www.my-domain.local are still in parentheses which means they are still 
unavailable. so i also added the two new domains by hand inside the Domain Transition Editor:

     <kernel> //apache
     <kernel> //apache /www.my-domain.local

now my Domain Transition Editor looked like this:

     <kernel>
     0:  0     <kernel>
     1:  0         //apache
     2:  0             /www.my-domain.local
     3:  0  *              /test1
     4:  0  *              /test2
     [..]
    18:  0  *      /usr/sbin/apache2
                       => <kernel> //apache /www.my-domain.local /test1 ( -> 3 )
                       => <kernel> //apache /www.my-domain.local /test2 ( -> 4 )
		
that looks good to me. nevertheless, when i try to access for the url 
http://www.mydomain.local/~test1 , i get still server error 500:

     Operation not permitted: mod_ccs: Unable to set security context. No matching entry for 
/data/homewww/test1/webdir/index.html
	
so - was my approach correct? do i really need to create the apache-related domains by hand? if yes 
- what could be wrong here?

regards, hs
	




More information about the tomoyo-users-en mailing list
Back to archive index