From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Joe Nall <joe@nall.com>
Cc: dwalsh@redhat.com, method@manicmethod.com,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
russell@coker.com.au, SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: daemons and MCS categories
Date: Mon, 18 May 2009 17:31:17 +0900 [thread overview]
Message-ID: <4A111CD5.1000109@ak.jp.nec.com> (raw)
In-Reply-To: <86170769-8CD9-4A99-9C14-624611280E55@nall.com>
Joe Nall wrote:
>
> On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:
>
>> Are anyone interested in the daemon process with mcs categories?
>>
>> My proposition tries to cover general daemon processes, but my
>> major concern is apache/httpd performing without any categories.
>> If we focus on the apache/httpd, we can add the following policy
>> within the mod_selinux.pp, and it enables to run httpd_t with
>> mcs categories.
>>
>> optional_policy(`
>> init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>> ')
>>
>> The mod_selinux.so is an apache/httpd module which enables to
>> change its own security context prior to launching contents
>> handler. We can set up the module to drop all the categories
>> for unauthorized http clients, and rest of requests to perform
>> with appropriate categories.
>>
>> The above rule will be available only when mod_selinux is installed.
>> I don't think it gives any impact for existing stuffs.
>>
>> Any comments?
>
> FWIW, we run apache 1.3 out of xinetd at multiple contexts using labeled
> networking. HTTP performance is surprisingly good. HTTPS performance is
> unacceptable, so we are using an HTTPS reverse proxy in a DMZ for single
> level network services to the 'enterprise'.
Are you saying that xinetd can launch multiple apache/httpd daemon processes
with individual security context? If so, unfortunatelly, it is different from
what I would like to achieve. :(
I guess the security context of the daemon process is determined prior to
receiving http-requests come from users, but the security context to be
assigned on web application depends on the authentication-header within
the http-request-headers, so we cannot know who connected to on xinetd time.
Or, are we talking about topics in different layer?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-05-18 8:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-21 23:30 daemons and MCS categories Russell Coker
2006-05-25 5:07 ` James Morris
[not found] ` <1148538208.1797.23.camel@papa.intrajp-yokosuka.co.jp>
2006-05-25 7:12 ` Russell Coker
2006-05-29 13:52 ` Christopher J. PeBenito
2009-04-20 7:06 ` KaiGai Kohei
2009-04-21 2:05 ` KaiGai Kohei
2009-04-22 8:38 ` KaiGai Kohei
2009-05-11 5:11 ` KaiGai Kohei
2009-05-11 12:37 ` Christopher J. PeBenito
2009-05-12 0:20 ` KaiGai Kohei
2009-05-13 4:07 ` KaiGai Kohei
2009-05-16 16:05 ` Joe Nall
2009-05-18 8:31 ` KaiGai Kohei [this message]
2009-05-18 12:57 ` Joe Nall
2009-05-19 2:51 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A111CD5.1000109@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=joe@nall.com \
--cc=method@manicmethod.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.