Jeff V. Merkey <jmerkey@xxxxxxxxxxxxxxxxxxxxx> wrote:Have it access them as 0.0 (root) when you change the fsuid, etc. and I think this would satisfy security concerns. I agree that it sounds like
SELinux support addresses all of these issues for B1 level security quite
well with mandatory access controls at the fs layers. In fact, it works so
well, when enabled you cannot even run apache on top of an FS unless
configured properly.
How? The problem I've got is that the caching code would be creating and
accessing files and directories with the wrong security context - that of the
calling process - and not a context suitable for sharing things in the cache
whilst protecting them from userspace as best we can.
David