-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 01:25 AM, Scott Gifford wrote: > On Sun, Feb 20, 2011 at 5:54 PM, Scott Gifford > <sgifford@xxxxxxxxxxxxxxxx <mailto:sgifford@xxxxxxxxxxxxxxxx>> wrote: > [ ... ] > > I think I can automatically generate a unique category set from a > PID by using two MCS categories to represent each bit of the PID, > the first for a 0-bit and the second for a 1-bit. That will take 32 > categories for a 16-bit PID, which seems reasonable. > > > OK, I've got this working now, each PID gets a unique set of MCS > categories, and so HTTPD child processes canot read each other's process > information. > > They do have to share files sometimes, so I designated c0 for that, and > made sure the processes are always in c0. Now if something should be > shared, it should remove all groups besides c0, and it will be shareable. > > I expected to do this through file mapping in my module's .fc file, like > this: > > /var/www/portal_auth(/.*)? > gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0) > > > But when new files are created in /var/www/portal_auth, they still have > all of the PID-specific categories, in addition to c0. > > To make this work, I had to grant { setattr relabelfrom relabelto } to > my Web app and make a call to setxattr to change the category on shared > files. > > That works, but it seems like it would be simpler and more secure to do > this through file mappings in my modules .fc file. > > Is there a mistake in my file context configuration above somewhere? Or > am I misunderstanding how categories are applied from file context rules? > > Thanks for any tips, > > ------Scott. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux When a process running at MCS1 creates a file it will create the file with the same label MCS1. I am not sure what you are trying to do with /var/run/portal_auth, does every one of your scripts need to be able to read/write every file within the directory? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ilv0ACgkQrlYvE4MpobO3kgCeJBWrYErSZrcVBbtSGZQ06+sr TLsAnA106HyOhEvmed31dCfuO50IzvpK =GBay -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
