-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 12:37 PM, Scott Gifford wrote: > On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > On 02/21/2011 01:25 AM, Scott Gifford wrote: > > [ ... ] > > > > They do have to share files sometimes, so I designated c0 for > that, and > > made sure the processes are always in c0. Now if something should be > > shared, it should remove all groups besides c0, and it will be > shareable. > > > > I expected to do this through file mapping in my module's .fc > file, like > > this: > > > > /var/www/portal_auth(/.*)? > > gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0) > > > > > > But when new files are created in /var/www/portal_auth, they still > have > > all of the PID-specific categories, in addition to c0. > > > > To make this work, I had to grant { setattr relabelfrom relabelto } to > > my Web app and make a call to setxattr to change the category on > shared > > files. > > > > That works, but it seems like it would be simpler and more secure > to do > > this through file mappings in my modules .fc file. > [ ... ] > > When a process running at MCS1 creates a file it will create the file > with the same label MCS1. I am not sure what you are trying to do with > /var/run/portal_auth, does every one of your scripts need to be able to > read/write every file within the directory? > > > Yes, I am creating categories for my Web server child processes based on > their PID to stop them from having access to each other's internal data > in "/proc" (a variation on your earlier suggestion to "grab random MCS > labels to separate the processes"), but the files > in /var/run/portal_auth have session data that all the Web processes > need access to. > > I can keep using setxattr, that seems to work well enough. > > But I guess I'm not clear on when and how the category field to > gen_context in the .fc file is used? > > Thanks, > > ------Scott. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux The syntax should have been: /var/www/portal_auth(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0) s0:c0 means Security Level s0 with category c0. If you leave the files with no categories s0, then they should be able to read/write them. Moving to categories provides isolation between the scripts, the goal would be for the scripts to not be able to attack each other, but allowing them to write to the same files potentially gives them a mechanism to attack each other. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1iu3IACgkQrlYvE4MpobNmxQCdG5NhW01mQEumYlhwJHzdhzNK 31wAniO2XRv75o7LfvdPmEBIKOLS/+hq =r+58 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
