Using dyntransition to reduce privileges for Web application
Scott Gifford
sgifford at suspectclass.com
Tue Jan 18 04:27:29 UTC 2011
On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
[ ... ]
> > Third, since my main goal here is to prevent processes from interacting
> with
> > each other inappropriately, I would like to prevent each HTTP worker from
> > reading any information from "/proc" for other HTTP workers. Currently
> they
> > are allowed to do this, because they all run in the same domain. Is
> there
> > any way to prevent this?
> >
>
> libvirt and sandbox use MCS separation for this. Basically they grab
> random MCS labels to separate the processes. I would suggest using two
> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
>
> s0:c1,c43
> s0:c2,c43
>
> Is fine.
>
> s0:c1,c1 is not
>
> Then just set that context and you should get separation. if you need
> the processes to handle data it might get a little more complicated.
>
Thanks! I think I will need to learn a little more about this feature
before I can use it. I will need a way to generate a unique category number
(maybe from the PID?), and the processes will need to handle some shared
data and code, so I will need to figure that out as well.
I will also look in more detail at Apache_SELinux_plus, I had skimmed
through the material but I should read it in more detail. Thanks for the
tip Ted!
I will see what progress I can make and post again if I have more questions.
I really appreciate all the helpful people on this list!
-----Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110117/780e0eb7/attachment-0001.html
More information about the selinux
mailing list