On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>></span> wrote:<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 02/21/2011 01:25 AM, Scott Gifford wrote:<br></div></blockquote><div> [ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
<div class="h5"><br>
> They do have to share files sometimes, so I designated c0 for that, and<br>
> made sure the processes are always in c0. Now if something should be<br>
> shared, it should remove all groups besides c0, and it will be shareable.<br>
><br>
> I expected to do this through file mapping in my module's .fc file, like<br>
> this:<br>
><br>
> /var/www/portal_auth(/.*)?<br>
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)<br>
><br>
><br>
> But when new files are created in /var/www/portal_auth, they still have<br>
> all of the PID-specific categories, in addition to c0.<br>
><br>
> To make this work, I had to grant { setattr relabelfrom relabelto } to<br>
> my Web app and make a call to setxattr to change the category on shared<br>
> files.<br>
><br>
> That works, but it seems like it would be simpler and more secure to do<br>
> this through file mappings in my modules .fc file.<br>[ ... ]</div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">When a process running at MCS1 creates a file it will create the file<br>
with the same label MCS1. I am not sure what you are trying to do with<br>
/var/run/portal_auth, does every one of your scripts need to be able to<br>
read/write every file within the directory?<br></blockquote><div><br></div><div>Yes, I am creating categories for my Web server child processes based on their PID to stop them from having access to each other's internal data in "/proc" (a variation on your earlier suggestion to "<span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; ">grab </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; ">random MCS labels to separate the processes")</span>, but the files in /var/run/portal_auth have session data that all the Web processes need access to.</div>
<div><br></div><div>I can keep using setxattr, that seems to work well enough.</div><div><br></div><div>But I guess I'm not clear on when and how the category field to gen_context in the .fc file is used?</div><div><br>
</div><div>Thanks,</div><div><br></div><div>------Scott.</div><div><br></div><meta charset="utf-8"><meta charset="utf-8"></div>