On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh dwalsh@redhat.com wrote: [ ... ]
Third, since my main goal here is to prevent processes from interacting
with
each other inappropriately, I would like to prevent each HTTP worker from reading any information from "/proc" for other HTTP workers. Currently
they
are allowed to do this, because they all run in the same domain. Is
there
any way to prevent this?
libvirt and sandbox use MCS separation for this. Basically they grab random MCS labels to separate the processes. I would suggest using two Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
s0:c1,c43 s0:c2,c43
Is fine.
s0:c1,c1 is not
Then just set that context and you should get separation. if you need the processes to handle data it might get a little more complicated.
Thanks! I think I will need to learn a little more about this feature before I can use it. I will need a way to generate a unique category number (maybe from the PID?), and the processes will need to handle some shared data and code, so I will need to figure that out as well.
I will also look in more detail at Apache_SELinux_plus, I had skimmed through the material but I should read it in more detail. Thanks for the tip Ted!
I will see what progress I can make and post again if I have more questions. I really appreciate all the helpful people on this list!
-----Scott.