[tomoyo-users-en 424] problems with mod_css

Back to archive index
hs web****@rz*****
Tue Nov 29 00:45:45 JST 2011

hello all,

first of all, i really want to thank Tetsuo for his great work. so far, tomoyo (i use the 
akari-module at ubuntu 10.04 LTS 64Bit) is a great working and easily usable piece of software!

currently i'm trying to get the mod_ccs module for apache working. i want to secure fcgid-processes 
against each other. for this i already use mod_fcgid in combination with suexec und mod_userdir. so, 
every fcgid-process already runs as a separate user.

now i wanted to add mod_css to further improve security, but i end up with server error 500.

for apache, i use the following configuration:

<VirtualHost *:80>
         ServerAdmin webmaster at localhost
         CCS_TransitionMap /etc/ccs/httpd-tomoyo00.conf
	ServerName www.my-domain.local

this is the mapping-file /etc/ccs/httpd-tomoyo00.conf

/data/homewww/test1/webdir/\*    <kernel> //apache /www.my-domain.local /test1
/data/homewww/test2/webdir/\*    <kernel> //apache /www.my-domain.local /test2

after that i added two manual domain transitions to <kernel> /usr/sbin/apache2 inside the Domain 
Policy Editor:

0: task manual_domain_transition <kernel> //apache /www.my-domain.local /test1
1: task manual_domain_transition <kernel> //apache www.my-domain.local /test2

i then added by hand the new domain "<kernel> //apache /www.my-domain.local /test1"  and "<kernel> 
//apache /www.my-domain.local /test2" to the Domain Transition Editor, because before these domains 
were not found and they also have not automatically been created when accessing the website at 

after that, the domain transition looked like that:

<kernel> //apache /www.my-domain.local /test2
     0:  0     <kernel>
                   ( //apache )
                       ( /www.my-domain.local )
     1:  1  *              /test1

as you see, //apache and  /www.my-domain.local are still in parentheses which means they are still 
unavailable. so i also added the two new domains by hand inside the Domain Transition Editor:

     <kernel> //apache
     <kernel> //apache /www.my-domain.local

now my Domain Transition Editor looked like this:

     0:  0     <kernel>
     1:  0         //apache
     2:  0             /www.my-domain.local
     3:  0  *              /test1
     4:  0  *              /test2
    18:  0  *      /usr/sbin/apache2
                       => <kernel> //apache /www.my-domain.local /test1 ( -> 3 )
                       => <kernel> //apache /www.my-domain.local /test2 ( -> 4 )
that looks good to me. nevertheless, when i try to access for the url 
http://www.mydomain.local/~test1 , i get still server error 500:

     Operation not permitted: mod_ccs: Unable to set security context. No matching entry for 
so - was my approach correct? do i really need to create the apache-related domains by hand? if yes 
- what could be wrong here?

regards, hs

More information about the tomoyo-users-en mailing list
Back to archive index