-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/24/2012 01:16 PM, Tim Sheppard wrote: > Hi, > > I am looking to use SELinux to secure a process that is made up of a number > of discrete, sequential stages. One stage communicates to the next by > writing results to a file and then an external process modifies the SELinux > context of the file to allow the next stage to read the file and so on > until the final stage is reached and the processing stops. > > The problem I have is that the number of stages is variable and can change > with each invocation of the process, i.e. when I create the process I know > the number of stages that will be required in it, but the number of stages > could change with each invocation. I think therefore, that I need a means > of creating new contexts on the fly and assigning them to the processes. Is > it possible with SELinux to create a new security context (domain for the > output file, and user/role for the stage process) on the fly and execute a > process within that context such that it could poll a directory for input > files and, if it is permitted to read the file perform its operation? > > Many Thanks, > > Tim Sheppard > > If each process is going to require the same approximate access. I would use MCS labeling for separation. Basically define a sandbox type for your processes to run within and then have your controlling app pick an MCS label for the process and the content. chcon -t confined_file_t -l s0:c1 passing.file runcon -t confined_proc_t -l s0:c1 proc1 When done chcon -l s0:c2 passing.file runcon -t confined_proc_t -l s0:c2 proc2 ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfsi3YsAou1lA4MY9 gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE =iHPC -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
