On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>></span> wrote:<div><div class="gmail_quote"><div>[ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">
> Third, since my main goal here is to prevent processes from interacting with<br>
> each other inappropriately, I would like to prevent each HTTP worker from<br>
> reading any information from "/proc" for other HTTP workers. Currently they<br>
> are allowed to do this, because they all run in the same domain. Is there<br>
> any way to prevent this?<br>
><br>
<br>
</div>libvirt and sandbox use MCS separation for this. Basically they grab<br>
random MCS labels to separate the processes. I would suggest using two<br>
Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.<br>
<br>
s0:c1,c43<br>
s0:c2,c43<br>
<br>
Is fine.<br>
<br>
s0:c1,c1 is not<br>
<br>
Then just set that context and you should get separation. if you need<br>
the processes to handle data it might get a little more complicated.<br></blockquote><div><br></div><div>Thanks! I think I will need to learn a little more about this feature before I can use it. I will need a way to generate a unique category number (maybe from the PID?), and the processes will need to handle some shared data and code, so I will need to figure that out as well.</div>
<div><br></div><div>I will also look in more detail at <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Apache_SELinux_plus, I had skimmed through the material but I should read it in more detail. Thanks for the tip Ted!</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">I will see what progress I can make and post again if I have more questions. I really appreciate all the helpful people on this list!<br>
<br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">-----Scott.</span></div></div><br></div>