On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:
Are anyone interested in the daemon process with mcs categories?
My proposition tries to cover general daemon processes, but my
major concern is apache/httpd performing without any categories.
If we focus on the apache/httpd, we can add the following policy
within the mod_selinux.pp, and it enables to run httpd_t with
mcs categories.
optional_policy(`
init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 -
mcs_systemhigh)
')
The mod_selinux.so is an apache/httpd module which enables to
change its own security context prior to launching contents
handler. We can set up the module to drop all the categories
for unauthorized http clients, and rest of requests to perform
with appropriate categories.
The above rule will be available only when mod_selinux is installed.
I don't think it gives any impact for existing stuffs.
Any comments?
FWIW, we run apache 1.3 out of xinetd at multiple contexts using
labeled networking. HTTP performance is surprisingly good. HTTPS
performance is unacceptable, so we are using an HTTPS reverse proxy in
a DMZ for single level network services to the 'enterprise'.
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
