You might want to look at: http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus Ted On Sat, Jan 15, 2011 at 7:45 PM, Scott Gifford <sgifford@xxxxxxxxxxxxxxxx> wrote: > Hello, > I'm experimenting with SELinux policies again. I've got a test server set > up now, so I have a bit more freedom and flexibility. I have a policy that > is basically working, and wanted to get some feedback on it. > I'm working on designing a security architecture for a Web application we > have under development, and creating an SELinux policy to help implement it. > I would like to prevent any flaws in Apache or the Web application from > leaking access to other HTTP worker processes for current or future > connections, where credentials of other users may be accessible. > The Web server begins in the httpd_t domain, which has somewhat more > privileges than our application needs. For example it has access to the > listening HTTP socket, where it could accept new connections and so access > future connections. I would like to reduce the privileges of the HTTP > worker processes after the connection is accepted but before any user data > has been processed or our application code has been executed. > I have this working with some mod_perl code which hooks into Apache right > after it accepts the connection, and changes its running domain to > httpd_portal_app_t. I did this by allowing a dyntransition from httpd_t to > httpd_portal_app_t, then writing the new context to "/proc/$$/attr/current", > and verified it is working with ps -Z. That domain has a smaller set of > privileges than httpd_t, and is not allowed to do things like accept new > connections, listen on new sockets, read from log files, etc. There is no > rule allowing httpd_portal_app_t to transition back to httpd_t, and after > handling a single connection, the process exits (it is configured with the > Apache option MaxRequestsPerChild 1). > I am still testing and prototyping, but so far this is all working. I have > a few questions, though. > First, I see a lot of warnings in "SELinux by example" and other places on > the Web about how using dyntransition is a bad idea. Is that true in this > case, and if so is there a better way to get a similar degree of isolation > without taking the performance hit that a CGI-based environment would cost? > Second, in RHEL 5, is there a way to constrain my httpd_portal_app_t to have > its permission set bounded by that of httpd_t? That is, so > that httpd_portal_app_t cannot have any privileges that httpd_t does not > have? I see that some versions of SELinux are able to enforce this with the > "typebounds" command, but that doesn't seem to be available in RHEL 5? That > would help me ensure that this domain could only make things more secure, > not less. > Third, since my main goal here is to prevent processes from interacting with > each other inappropriately, I would like to prevent each HTTP worker from > reading any information from "/proc" for other HTTP workers. Currently they > are allowed to do this, because they all run in the same domain. Is there > any way to prevent this? > Finally, if anybody has any thoughts or suggestions from doing similar > applications, your thoughts are appreciated. > Thanks! > -----Scott. > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
