On Jun 21, 2006, at 10:19 PM, Eric W. Biederman wrote:
I'm not certain what is meant by a polyinstantiated port, and until
then I can't see if it helps.
Multiple instances of a daemon with different security contexts
listen on the same port on one IP address with no EADDRINUSE. Inbound
connections are matched to a listener by by port, IP address and
security context.
Imagine an Apache installation where the document root, log and pid
files are in a polyinstantiated directory.
runcon -l unclassified -- apachectl start
runcon -l confidential -- apachectl start
runcon -l secret -- apachectl start
runcon -l unclassified -- curl http://localhost/
- shows you the unclassified home page
runcon -l secret -- curl http://localhost/
- shows you the secret home page
With polyinstantiated ports and directories, there is only one
http.conf. This is a beautiful thing in Trusted Solaris, you can run
a properly configured 'stupid daemon' at multiple levels and it just
works. Adding a new level is as simple as adding a new runcon to the
startup script. With a few levels this is not a big deal, with dozens
it is a very big deal.
joe
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
