KaiGai Kohei wrote: >>>>> An idea: thread/hierarchical-domain assignment Now, under constracting a patch. >>>>> Issues: Domain Reverting - snip - >>> (1) The number of client security context should be enough small. >>> If we want to assign one of MCS categories, it requires 1024 of thread >>> pool in maximum. >> The main server thread could lazily create the thread pools as needed to >> avoid unnecessary pools. And we could possibly use a hybrid scheme >> (e.g. one pool per sensitivity or per equivalence class of categories, >> reuse within that pool). > > I guess it requires massive reworks for Apache itself. :( > > If so, it may be better to implement a SELinux specific multi processing > module (MPM) which creates a child process with restricted domain per > request? > (No need to say, we will get some performance degradation.) I reconsidered that SELinux awared MPM is better way than reverting domain of backend processes/threads. It requires a certain level of performance degrading compared to existing MPMs (prefork/worker), but forking a child process for a single request and existing later model is suitable for SELinux. I have an assumption here that performance is not the first priority for users of SELinux awared Apache. I like to add it to my TODO list. BTW, is there anyone good at the behavior of Tomcat? >From its documentation, Tomcat create a thread for a single request and kills it after processing, when thread pooling is disabled. It seems to me that here is no domain reverting issues. Is it correct? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
