It is a RFC for httpd-selinux package. It enables to invoke its contents handler with an individual security context based on HTTP authentication. Apache has a feature to handle various kind of file format like *.html, *.php, *.cgi and so on. These are well moduled and we call it as contents handler. The idea is simple. The httpd-selinux assignes a proper security context using setcon() API just before contents handler invocation. The context is identified based on HTTP authentication. When the httpd-selinux accepts a HTTP request from a client, it creates a one-time thread and wait for its exit. The child thread invokes setcon() as I noted above, and execute contents handler to generate HTTP response. In the result, it enables to kick web application under restricted domain and prevent web application flaws. Steps to build/install ---------------------- $ vi ~/.rpmmacros # set a proper '%_topdir' macro $ wget http://<somewhere Fedora mirrors>/path/to/httpd-2.2.9-4.src.rpm $ svn checkout http://sepgsql.googlecode.com/svn/misc/httpd-selinux $ ./httpd-selinux/build-httpd-selinux.sh ./httpd-2.2.9-4.src.rpm $ su - # rpm -ivh /path/to/rpms/i386/httpd-selinux-2.2.9-4.i386.rpm Preparing... ########################################### [100%] 1:httpd-selinux ########################################### [100%] # vi /etc/sysconfig/httpd # add a line: "HTTPD=/usr/sbin/httpd.selinux" # /etc/init.d/httpd restart (NOTE) The kernel has to support type boundary feature. (NOTE) If you feel the source code is complex, get a diff between prefork.c and selinux.c. :) Configuration ------------- The "/etc/httpd/conf.d/httpd-selinux.conf" is a template of configuration. It defined three directives which can be enclosed by <Directory> tag. - selinuxAuthConfigFile It specifies a path to configuration file which describes pairs of authenticated user and its domain/range. - selinuxAuthDefaultDomain It specifies the default domain. - selinuxAuthDefaultRange It specifies the default range. Future plans ------------ * Proposing it to the upstream Apache developers and Fedora community * Proposing PHP/SELinux binding to PHP developers * Similar enhancement on application server, like Tomcat * Full SELinux coverage on LAPP software stack: http://kaigai.sakura.ne.jp/sblo_files/kaigai/image/080719_lapp.png Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
