[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Joe Nall
joe at nall.com
Thu Jun 22 19:47:31 UTC 2006
On Jun 21, 2006, at 10:19 PM, Eric W. Biederman wrote:
> I'm not certain what is meant by a polyinstantiated port, and until
> then I can't see if it helps.
Multiple instances of a daemon with different security contexts
listen on the same port on one IP address with no EADDRINUSE. Inbound
connections are matched to a listener by by port, IP address and
security context.
Imagine an Apache installation where the document root, log and pid
files are in a polyinstantiated directory.
runcon -l unclassified -- apachectl start
runcon -l confidential -- apachectl start
runcon -l secret -- apachectl start
runcon -l unclassified -- curl http://localhost/
- shows you the unclassified home page
runcon -l secret -- curl http://localhost/
- shows you the secret home page
With polyinstantiated ports and directories, there is only one
http.conf. This is a beautiful thing in Trusted Solaris, you can run
a properly configured 'stupid daemon' at multiple levels and it just
works. Adding a new level is as simple as adding a new runcon to the
startup script. With a few levels this is not a big deal, with dozens
it is a very big deal.
joe
More information about the redhat-lspp
mailing list