Graham Dumpleton wrote: > 2009/4/9 KaiGai Kohei <[email protected]>: >> William A. Rowe, Jr. wrote: >>> KaiGai Kohei wrote: >>>> However, SElinux does not allow to revert its privilege (security context) >>>> unconditionally, even if it is dynamically changed. >>>> If we want to revert it, the security policy has to allow B->A in addition >>>> to A->B, but it is generally nonsense. >>>> It is also the reason why we need a one-time thread or process to assign >>>> individual privileges for each requests. >>> Sounds like it's time for you to hack up an alternate, selinux based mpm. >> I also think a selinux based (or possible for other secure os) mpm >> is a reasonable candidate. >> >> Due to the above limitation, this mpm need to create a process or >> thread for each requests, and not to allow keep-alive mode. >> >> If the approach can be acceptable, I will switch to develop the new >> mpm approach. > > Which gets back to the old perchild MPM perhaps being in part > relevant. The difference is that you need a more dynamic system > whereby which specific user process is used might be based on URL or > authentication credentials as well as host. Another aspect worth > consideration is a means to dynamically create additional processes > for new users, rather than everything being static, with an idle > timeout mechanism to shutdown user processes which haven't had to > handle requests for some amount of time. This approach obviously need > not even involve SELinux specifically as separation achieved at > process > level.
I also think the mpm is not necessary to focus on SELinux. If it just create a one-time thread or process for each request, an pluggable module can set privileges of the execution context. It gives a chance for users to assign SELinux's privileges. In addition, someone may choose other operating system. > FWIW, this dynamic user process creation is something which is being > implemented in Apache module I develop. That though is being done at > higher level and only applies to the web applications written in the > specific scripting language that the module supports, and isn't a > generic mechanism applicable to all Apache modules. Hmm... what I would like to achieve is a bit different. The reason why I would like to set privilege prior to the invocation of contents handler is to apply consistent access controls independent from what kind of script languages are used. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <[email protected]>
