Intro
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Oct 12 01:03:12 UTC 2004
On Mon, 11 Oct 2004 17:53:13 PDT, Tom Mitchell said:
> Since Temlakos mentioned building a database what model of data
> management should he consider.
>
> On the surface SELinux could put a fence around the database and data
> but if the database had data that rightly belonged in multiple domains
> I suspect he has a problem that is not clearly addressed by tossing
> SELinux into the pot.
Well, if his application is well behaved, he can at least ensure that
any access to the data in the backend store can only be accessed via
means mediated by the application's access control mechanisms.
In other words, no trawling the database by using 'strings' (or a more
sophisticated program to read Sleepycat/mysql/oracle/whatever formats)....
If there's data from multiple security domains inside the database, then
of course the database will have to do its own work there. Didn't somebody
have a patch/code/trick for getting an Apache server to change contexts when
it ran different CGI's, or am I hallucinating? That sounds like it might
be applicable here (although I seem to remember it being shot down or died
of bit-rot as things evolved)....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041011/71380d2a/attachment.sig>
More information about the fedora-selinux-list
mailing list