Jan-Frode Myklebust wrote: > On Wed, Mar 25, 2009 at 10:08:55AM +0900, KaiGai Kohei wrote: >> One idea is to add a security focused MPM which provide above features >> and hooks for external modules. >> I've actually developed a working example based on the "prefork" MPM. >> When it accepts a request from the client, it creates a one-time thread >> and assigns a new security context (which is a privileges set in SELinux), >> then invokes contents handler. >> >> http://code.google.com/p/sepgsql/source/browse/misc/httpd-selinux/ >> >> However, I don't adhere the current implementation as is. >> I would like to have a discussion to brush up the idea to achieve >> the goal and to get acceptance in the mainline. >> >> Any comments, questions and others are welcome. >> > > I've been patiently hoping you would return to this idea, but it's > not quite tackling my problem. I was hoping for something more > similar to mod_privileges, where each virtual host is running in > a separate selinux domain. That would be very usefull for ISP's > offering virtual hostings to customers, and give the possibility > of giving guest_t shell access to multiple users with unique > namespaces. > > It might not be necessary to run everything within the same apache > process, maybe launch one per virtual host would be OK. But full > mod_privileges-like support would be perfect. Yes, it seems to me your problem consciousness is also worthfull to achieve separation in virtual-host granularity, although its goal is different from what I want to do. The purpose of my efforts is to work every web-applications with individual security context based on the client's identification. We can also say it as a mapping between a web-user and a security context. > Has anybody tackled something like that with selinux ? Sorry, my effort (currently) don't help to solve your problem. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
