httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Thu, 09 Apr 2009 05:17:16 GMT
William A. Rowe, Jr. wrote:
> KaiGai Kohei wrote:
>> However, SElinux does not allow to revert its privilege (security context)
>> unconditionally, even if it is dynamically changed.
>> If we want to revert it, the security policy has to allow B->A in addition
>> to A->B, but it is generally nonsense.
>> It is also the reason why we need a one-time thread or process to assign
>> individual privileges for each requests.
> 
> Sounds like it's time for you to hack up an alternate, selinux based mpm.

I also think a selinux based (or possible for other secure os) mpm
is a reasonable candidate.

Due to the above limitation, this mpm need to create a process or
thread for each requests, and not to allow keep-alive mode.

If the approach can be acceptable, I will switch to develop the new
mpm approach.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message