2009/4/9 KaiGai Kohei <kai...@ak.jp.nec.com>: > William A. Rowe, Jr. wrote: >> KaiGai Kohei wrote: >>> However, SElinux does not allow to revert its privilege (security context) >>> unconditionally, even if it is dynamically changed. >>> If we want to revert it, the security policy has to allow B->A in addition >>> to A->B, but it is generally nonsense. >>> It is also the reason why we need a one-time thread or process to assign >>> individual privileges for each requests. >> >> Sounds like it's time for you to hack up an alternate, selinux based mpm. > > I also think a selinux based (or possible for other secure os) mpm > is a reasonable candidate. > > Due to the above limitation, this mpm need to create a process or > thread for each requests, and not to allow keep-alive mode. > > If the approach can be acceptable, I will switch to develop the new > mpm approach.
Which gets back to the old perchild MPM perhaps being in part relevant. The difference is that you need a more dynamic system whereby which specific user process is used might be based on URL or authentication credentials as well as host. Another aspect worth consideration is a means to dynamically create additional processes for new users, rather than everything being static, with an idle timeout mechanism to shutdown user processes which haven't had to handle requests for some amount of time. This approach obviously need not even involve SELinux specifically as separation achieved at process level. FWIW, this dynamic user process creation is something which is being implemented in Apache module I develop. That though is being done at higher level and only applies to the web applications written in the specific scripting language that the module supports, and isn't a generic mechanism applicable to all Apache modules. Graham
