[tomoyo-users-en 425] Re: problems with mod_css

Back to archive index
Tetsuo Handa from-****@I-lov*****
Tue Nov 29 13:40:34 JST 2011

hs wrote:
> after that, the domain transition looked like that:
> <kernel> //apache /www.my-domain.local /test2
>      0:  0     <kernel>
>                    ( //apache )
>                        ( /www.my-domain.local )
>      1:  1  *              /test1
> as you see, //apache and  /www.my-domain.local are still in parentheses which means they are still 
> unavailable. so i also added the two new domains by hand inside the Domain Transition Editor:
>      <kernel> //apache
>      <kernel> //apache /www.my-domain.local
> now my Domain Transition Editor looked like this:
>      <kernel>
>      0:  0     <kernel>
>      1:  0         //apache
>      2:  0             /www.my-domain.local
>      3:  0  *              /test1
>      4:  0  *              /test2
>      [..]
>     18:  0  *      /usr/sbin/apache2
>                        => <kernel> //apache /www.my-domain.local /test1 ( -> 3 )
>                        => <kernel> //apache /www.my-domain.local /test2 ( -> 4 )

You don't need to create domains in parentheses unless such domains are
actually used. By using "task manual_domain_transition", processes can reach
the specified domain without going through parent domains.

> so - was my approach correct? do i really need to create the apache-related domains by hand? if yes 
> - what could be wrong here?

You need to manually specify "task manual_domain_transition" lines. You don't
need to manually create domains specified by "task manual_domain_transition"

To debug your problem, please manually remove

  <kernel> //apache
  <kernel> //apache /www.my-domain.local
  <kernel> //apache /www.my-domain.local /test1
  <kernel> //apache /www.my-domain.local /test2

domains before continue, for

  <kernel> //apache /www.my-domain.local /test1
  <kernel> //apache /www.my-domain.local /test2

will be created by mod_ccs and

  <kernel> //apache
  <kernel> //apache /www.my-domain.local

are not required for reaching

  <kernel> //apache /www.my-domain.local /test1
  <kernel> //apache /www.my-domain.local /test2

. By letting mod_ccs create domains as needed, you can check whether mod_ccs
has found a matching line or not.

> this is the mapping-file /etc/ccs/httpd-tomoyo00.conf
> /data/homewww/test1/webdir/\*    <kernel> //apache /www.my-domain.local /test1
> /data/homewww/test2/webdir/\*    <kernel> //apache /www.my-domain.local /test2

I guess that CCS_TransitionMap is not used when accessing www.my-domain.local
by some reason. Common mistake is that CCS_TransitionMap line is not defined at
appropriate section. In order to avoid mistakenly bypass domain transition, all
requests are denied unless explicitly defined by files specified by
CCS_TransitionMap line.

Please try below patch.

Index: mod_ccs.c
--- mod_ccs.c	(revision 5672)
+++ mod_ccs.c	(working copy)
@@ -747,7 +747,8 @@
 	ap_log_rerror(APLOG_MARK, APLOG_ERR, EPERM, r, "mod_ccs: "
 		      "Unable to set security context. "
-		      "No matching entry for %s", name);
+		      "No matching entry for %s (%u entries for %s)", name,
+		      ptr->len, r->hostname);
 	free((void *) name);
 	return 0;

Can you find "(2 entries for www.my-domain.local)" in the error log?

If you found a line "(2 entries for www.my-domain.local)" line, it will be a
problem of content of /etc/ccs/httpd-tomoyo00.conf . (Maybe a pattern matching
bug of mod_ccs module.)

If you found a line like "(0 entries for www.my-domain.local)", there are no
valid lines in /etc/ccs/httpd-tomoyo00.conf . (Maybe a parsing bug of mod_ccs

If you found a line with unexpected hostname like "(0 entries for localhost)",
it will be a problem of location of CCS_TransitionMap line.

More information about the tomoyo-users-en mailing list
Back to archive index