-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2011 05:59 PM, Dominick Grift wrote: > On 02/20/2011 06:31 AM, Scott Gifford wrote: >> On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford >> <sgifford@xxxxxxxxxxxxxxxx>wrote: > >>> On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>> [ ... ] >>> >>>> > Third, since my main goal here is to prevent processes from interacting >>>> with >>>>> each other inappropriately, I would like to prevent each HTTP worker >>>> from >>>>> reading any information from "/proc" for other HTTP workers. Currently >>>> they >>>>> are allowed to do this, because they all run in the same domain. Is >>>> there >>>>> any way to prevent this? >>>>> >>>> >>>> libvirt and sandbox use MCS separation for this. Basically they grab >>>> random MCS labels to separate the processes. I would suggest using two >>>> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same. >>>> >>>> s0:c1,c43 >>>> s0:c2,c43 >>>> >>>> Is fine. >>>> >>>> s0:c1,c1 is not >>>> >>>> Then just set that context and you should get separation. if you need >>>> the processes to handle data it might get a little more complicated. >>>> >>> >>> Thanks! I think I will need to learn a little more about this feature >>> before I can use it. I will need a way to generate a unique category number >>> (maybe from the PID?), and the processes will need to handle some shared >>> data and code, so I will need to figure that out as well. >>> > >> OK, so I have started experimenting with this, but /proc is not behaving how >> I expect so far. > >> So I open up two shells. In the first I run: > >> runcon -l s0-s0:c0,c1 bash > > >> and in the second: > >> runcon -l s0-s0:c0,c2 bash > > >> So both should have access to c1, but only the first will have access to c1 >> and only the second will have access to c2. > > s0-s0:c0,c2 should not have access to c1 > > but > > s0-s0:c0,c2 should Err.. i meant: s0-s0:c0.c2 should . signals a range (so c0.c2 means c0, c1 and c2). , is just a seperator (so c0,c2 mean c0 and c2). >> When I try this on files, it works: > >> shell1$ *id -Z* >> user_u:system_r:unconfined_t:-s0:c0,c1 >> shell1$ *ls -lZ test.c1 test.c2* >> -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1 >> -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2 >> shell1$ *head -1 test.c1 test.c2* >> ==> test.c1 <== >> Category 1 >> head: cannot open `test.c2' for reading: Permission denied > > >> But on /proc files it does not: > >> shell1$ *id -Z* >> user_u:system_r:unconfined_t:-s0:c0,c1 >> shell1$ *ls -lZ /proc/10961/maps* >> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 >> /proc/10961/maps >> shell1$ *head -1 /proc/10961/maps* >> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso] > > from /policy/mcs: > > # Note: > # - getattr on dirs/files is not constrained. > # - /proc/pid operations are not constrained. > > so that explains the above > > >> That is, even though "ls -lZ" indicates that the maps file for PID 10961 >> requires c2 and my shell does not have c2, still I am allowed to read this >> file. > >> I must be misunderstanding something here. Any thoughts or hints? > >> Thanks! > >> -----Scott. > > > > >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1hSQoACgkQMlxVo39jgT8hFACg0yD7KWKAUavfeSC/hgrH6P0I Iz0An1Y72Y4G86YnP8GH13c4mUY7MVyH =RSqJ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
