On Sun, 2004-05-02 at 18:49, Colin Walters wrote:
> There has been some work done on a "relaxed" policy. The intention of
> this policy is to simply protect system daemons, and not user logins.
> Right now there is just a policy for apache (which doesn't really work
> due to a kernel bug). Everything else runs in an "unconfined_t" domain,
> which essentially has every SELinux permission, and thus you are back to
> relying on DAC.
IIRC, the problem with apache is simply upon restarting it from an admin
shell; with the current policy, SELinux will close the descriptors to
the admin tty, and apache misbehaves if descriptors 0-2 don't exist.
We have a patch to the SELinux module to change it to re-open
descriptors it closes upon exec to the null device to avoid such
problems. But in the meantime, there are several options:
1) Change /etc/init.d/httpd to redirect descriptors 0-2 to /dev/null
when starting httpd.
2) Remove noatsecure permission from initrc_t to the daemon domains in
the daemon_base_domain macro in policy/macros/global_macros.te. This
will cause glibc secure mode to be enabled upon the daemon execution, so
that glibc will itself re-open descriptors 0-2 to /dev/null if they are
closed (but will also cause glibc to perform other sanitization that may
not be appropriate).
3) Allow httpd_t to access the tty/pty; not good for production use, but
ok for experimentation with the policy, e.g.:
allow httpd_t { tty_device_t devpts_t }:chr_file rw_file_perms;
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
