William A. Rowe, Jr. wrote: > KaiGai Kohei wrote: >> However, SElinux does not allow to revert its privilege (security context) >> unconditionally, even if it is dynamically changed. >> If we want to revert it, the security policy has to allow B->A in addition >> to A->B, but it is generally nonsense. >> It is also the reason why we need a one-time thread or process to assign >> individual privileges for each requests. > > Sounds like it's time for you to hack up an alternate, selinux based mpm.
I also think a selinux based (or possible for other secure os) mpm is a reasonable candidate. Due to the above limitation, this mpm need to create a process or thread for each requests, and not to allow keep-alive mode. If the approach can be acceptable, I will switch to develop the new mpm approach. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <[email protected]>
