Joe Nall wrote: > > On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote: > >> Are anyone interested in the daemon process with mcs categories? >> >> My proposition tries to cover general daemon processes, but my >> major concern is apache/httpd performing without any categories. >> If we focus on the apache/httpd, we can add the following policy >> within the mod_selinux.pp, and it enables to run httpd_t with >> mcs categories. >> >> optional_policy(` >> init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh) >> ') >> >> The mod_selinux.so is an apache/httpd module which enables to >> change its own security context prior to launching contents >> handler. We can set up the module to drop all the categories >> for unauthorized http clients, and rest of requests to perform >> with appropriate categories. >> >> The above rule will be available only when mod_selinux is installed. >> I don't think it gives any impact for existing stuffs. >> >> Any comments? > > FWIW, we run apache 1.3 out of xinetd at multiple contexts using labeled > networking. HTTP performance is surprisingly good. HTTPS performance is > unacceptable, so we are using an HTTPS reverse proxy in a DMZ for single > level network services to the 'enterprise'. Are you saying that xinetd can launch multiple apache/httpd daemon processes with individual security context? If so, unfortunatelly, it is different from what I would like to achieve. :( I guess the security context of the daemon process is determined prior to receiving http-requests come from users, but the security context to be assigned on web application depends on the authentication-header within the http-request-headers, so we cannot know who connected to on xinetd time. Or, are we talking about topics in different layer? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
