selinux June 2013 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: use case

Re: use case

From: Stephen Smalley <sds_at_nospam>
Date: Mon Jun 10 2013 - 14:37:20 GMT
To: Franck <>

On 06/10/2013 10:15 AM, Franck wrote:
> Hello,
> I'm trying to see if the following scenario is something that can be deal
> with selinux.
> I have a daemon that start multiple identical processes ( let's call them
> "agent", and let's say we have 2 of them, but we could as well have 256).
> Those processes are there so remote client can start other processes. I
> want those processes to be able to read from one location (the binaries of
> what they are running) but also to read/write in some specific directories.
> Of course, agent A and agent B should not be able to interact between each
> other directly (they could using some tcp/http protocol) or read/write
> files that are not theirs.
> I was thinking of transiting from the agent domain to the client
> application domain using a transient domain that would be automatically
> generated and unique, but did not see anything like that.

You could assign a unique category set to each client application rather
than changing domains; that would allow you to separate them from each
other without having to define a unique domain for each of them. A
similar approach has been used in various systems, e.g. the SELinux
sandbox, SVirt (libvirt), SE for Android, OpenShift.

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.