On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh <span dir="ltr">&lt;<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>&gt;</span> wrote:<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

<div class="im">On 02/21/2011 01:25 AM, Scott Gifford wrote:<br></div></blockquote><div> [ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">


<div class="h5"><br>
&gt; They do have to share files sometimes, so I designated c0 for that, and<br>
&gt; made sure the processes are always in c0.  Now if something should be<br>
&gt; shared, it should remove all groups besides c0, and it will be shareable.<br>
&gt;<br>
&gt; I expected to do this through file mapping in my module&#39;s .fc file, like<br>
&gt; this:<br>
&gt;<br>
&gt;     /var/www/portal_auth(/.*)?<br>
&gt;     gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)<br>
&gt;<br>
&gt;<br>
&gt; But when new files are created in /var/www/portal_auth, they still have<br>
&gt; all of the PID-specific categories, in addition to c0.<br>
&gt;<br>
&gt; To make this work, I had to grant { setattr relabelfrom relabelto } to<br>
&gt; my Web app and make a call to setxattr to change the category on shared<br>
&gt; files.<br>
&gt;<br>
&gt; That works, but it seems like it would be simpler and more secure to do<br>
&gt; this through file mappings in my modules .fc file.<br>[ ... ]</div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">When a process running at MCS1 creates a file it will create the file<br>


with the same label MCS1.  I am not sure what you are trying to do with<br>
/var/run/portal_auth, does every one of your scripts need to be able to<br>
read/write every file within the directory?<br></blockquote><div><br></div><div>Yes, I am creating categories for my Web server child processes based on their PID to stop them from having access to each other&#39;s internal data in &quot;/proc&quot; (a variation on your earlier suggestion to &quot;<span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; ">grab </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; ">random MCS labels to separate the processes&quot;)</span>, but the files in /var/run/portal_auth have session data that all the Web processes need access to.</div>

<div><br></div><div>I can keep using setxattr, that seems to work well enough.</div><div><br></div><div>But I guess I&#39;m not clear on when and how the category field to gen_context in the .fc file is used?</div><div><br>

</div><div>Thanks,</div><div><br></div><div>------Scott.</div><div><br></div><meta charset="utf-8"><meta charset="utf-8"></div>