Re: Using dyntransition to reduce privileges for Web application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 10:19 PM, Scott Gifford wrote:
> On Mon, Feb 21, 2011 at 2:22 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
> 
> 
>     On 02/21/2011 12:37 PM, Scott Gifford wrote:
>     > Yes, I am creating categories for my Web server child processes
>     based on
>     > their PID to stop them from having access to each other's internal
>     data
>     > in "/proc" (a variation on your earlier suggestion to "grab random MCS
>     > labels to separate the processes"), but the files
>     > in /var/run/portal_auth have session data that all the Web processes
>     > need access to.
>     >
>     > I can keep using setxattr, that seems to work well enough.
>     >
>     > But I guess I'm not clear on when and how the category field to
>     > gen_context in the .fc file is used?
>     >
> 
> [ ... ] 
> 
>     The syntax should have been:
> 
>     /var/www/portal_auth(/.*)?
>     gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)
> 
>     s0:c0 means Security Level s0 with category c0.
> 
> 
> When I try that I get this error:
> 
>     libsepol.mls_from_string: invalid MLS context s0:s0:c0
> 
> 
> Which seems to confirm what the Tresys Wiki page GettingStarted
> <http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted> says:
Ok, I guess you were write, anyways with the c0, that should only setup
labeling if for SELinux away applications,  It will not set the label
automatically.  You would still need to do the restorecon -F.
> 
>     Since the MCS policy has only one sensitivity (s0), this is
>     automatically added by the gen_context() macro, and should not be
>     added by the user.
> 
> 

> Any other suggestions for how to get these files labeled with a category
> automatically?
> 
I am not sure there is a way.
>     If you leave the files with no categories s0, then they should be able
>     to read/write them.
> 
> 
> Yeah, true, but I'm not sure how to cause them to have no category
> either, apart from using setxattr.
>  
I think if you do the file context correctly you can run restorecon -F
to fix the label.  If your CGI were in Code or python, you could use
setfscreatecon, to set the label automatically.
> 
>     Moving to categories provides isolation between the scripts, the goal
>     would be for the scripts to not be able to attack each other, but
>     allowing them to write to the same files potentially gives them a
>     mechanism to attack each other.
> 
> 
> Definitely true, but the communication is necessary in this case, and
> the files are easier to understand and control than the process data.  I
> think it's a good tradeoff for my application.
> 
> Thanks!
> 
> ------Scott.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1jwWIACgkQrlYvE4MpobNX3gCdHJWsXLnZ1NGvxH3MZROaTz3A
GkkAoN6pXeVtWDF1D8a+Id0Wd7+kBjoM
=KrO6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux