On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
[ ... ]
> Third, since my main goal here is to prevent processes from
interacting
with
> each other inappropriately, I would like to prevent each HTTP worker from
> reading any information from "/proc" for other HTTP workers. Currently
they
> are allowed to do this, because they all run in the same domain. Is
there
> any way to prevent this?
>
libvirt and sandbox use MCS separation for this. Basically they grab
random MCS labels to separate the processes. I would suggest using two
Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
s0:c1,c43
s0:c2,c43
Is fine.
s0:c1,c1 is not
Then just set that context and you should get separation. if you need
the processes to handle data it might get a little more complicated.
Thanks! I think I will need to learn a little more about this feature
before I can use it. I will need a way to generate a unique category number
(maybe from the PID?), and the processes will need to handle some shared
data and code, so I will need to figure that out as well.
I will also look in more detail at Apache_SELinux_plus, I had skimmed
through the material but I should read it in more detail. Thanks for the
tip Ted!
I will see what progress I can make and post again if I have more questions.
I really appreciate all the helpful people on this list!
-----Scott.