On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh dwalsh@redhat.com wrote:
On 02/21/2011 01:25 AM, Scott Gifford wrote:
[ ... ]
They do have to share files sometimes, so I designated c0 for that, and made sure the processes are always in c0. Now if something should be shared, it should remove all groups besides c0, and it will be shareable.
I expected to do this through file mapping in my module's .fc file, like this:
/var/www/portal_auth(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)
But when new files are created in /var/www/portal_auth, they still have all of the PID-specific categories, in addition to c0.
To make this work, I had to grant { setattr relabelfrom relabelto } to my Web app and make a call to setxattr to change the category on shared files.
That works, but it seems like it would be simpler and more secure to do this through file mappings in my modules .fc file.
[ ... ]
When a process running at MCS1 creates a file it will create the file
with the same label MCS1. I am not sure what you are trying to do with /var/run/portal_auth, does every one of your scripts need to be able to read/write every file within the directory?
Yes, I am creating categories for my Web server child processes based on their PID to stop them from having access to each other's internal data in "/proc" (a variation on your earlier suggestion to "grab random MCS labels to separate the processes"), but the files in /var/run/portal_auth have session data that all the Web processes need access to.
I can keep using setxattr, that seems to work well enough.
But I guess I'm not clear on when and how the category field to gen_context in the .fc file is used?
Thanks,
------Scott.