On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote: > Are anyone interested in the daemon process with mcs categories? > > My proposition tries to cover general daemon processes, but my > major concern is apache/httpd performing without any categories. > If we focus on the apache/httpd, we can add the following policy > within the mod_selinux.pp, and it enables to run httpd_t with > mcs categories. > > optional_policy(` > init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh) > ') > > The mod_selinux.so is an apache/httpd module which enables to > change its own security context prior to launching contents > handler. We can set up the module to drop all the categories > for unauthorized http clients, and rest of requests to perform > with appropriate categories. > > The above rule will be available only when mod_selinux is installed. > I don't think it gives any impact for existing stuffs. I think we should leave this up to the users. Apache should only be given the set of categories which is the union of all of the categories used by mod_selinux, which can only be determined by the users. > KaiGai Kohei wrote: > > The attached patch is a proof-of-concept for the facility to launch > > daemon processes with a certaon mcs ranges. > > > > The selinux-daemon-mcs-run_init.patch add run_init a new option which > > specifies the name of daemon. > > > > # run_init -n httpd /etc/init.d/httpd restart > > > > When -n option is given, run_init lookups under the > > /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the > > range to be assigned on the init script. > > > > [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd > > s0-s0:c0.c31 > > [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart > > Authenticating kaigai. > > Password: > > Stopping httpd: [ OK ] > > Starting httpd: [ OK ] > > [root@saba run_init]# ps -AZ | grep httpd > > system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd > > system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd > > system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd > > system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd > > system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd > > : > > > > The selinux-daemon-mcs-rc-script.patch is a short hack to the system > > init script. It launches the required script with "runcon -l", if > > per-daemon range is configured. > > > > These reworks typicall enable web-application (launched by httpd) to > > perform in a certain restrictive category of MCS. > > Currently, mod_selinux's security policy module assigns "mcssetcats" > > on httpd_t, but it is fundamentally denger and nonsense. :( > > > > So, I would like to see the daemon processes with appropriate categories. > > > > Thanks, > > > > KaiGai Kohei wrote: > >> KaiGai Kohei wrote: > >>> Sorry for opening the old discussion again. > >>> > >>> If you don't ML logs in local, please see the archives: > >>> http://marc.info/?t=114825463100001&r=1&w=2 > >>> > >>> Christopher J. PeBenito wrote: > >>>> I agree with James on this, I don't think we want to impose semantics in > >>>> the MCS categories, and that this > >>>> > >>>>> Another possibility is to have the ability to configure which categories are > >>>>> assigned to a daemon via run_init or some similar program. It would not be > >>>>> difficult to read a config file that maps the domain of a daemon to the range > >>>>> that should be granted to it. > >>>> is useful so that if users do want to run a daemon with categories, they > >>>> can. > >>> Is it still unavailable on the current SELinux userspace utilities, isn't it? > >> Shall we start to implement an extention of run_init and others based on > >> the above Russell's idea? > >> > >> Now, I have a plan to store configuration files at: > >> /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON} > >> or > >> /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions > >> > >> and, add a new option to run_init as: > >> run_init [-n <daemon>] <script> [<args> ...] > >> > >> It intends to see the per-daemon default range, instead of the initrc_contexts. > >> > >> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts > >> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l" > >> when the given daemon has its own range.) > >> > >> The last also need to have a discussion in the Fedora developer's list. > >> Dan, do you think it is a hopefull proposition? > >> > >> Thanks, > >> > >>> If we could start the init-scripts via runcon by hand, it seems to me the > >>> daemon processes performs with multi categories. > >>> > >>> | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart > >>> | Stopping httpd: [ OK ] > >>> | Starting httpd: [ OK ] > >>> | [root@saba ~]# ps -AZ | grep httpd > >>> | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd > >>> | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd > >>> | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd > >>> | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd > >>> | : > >>> > >>> But it is unavailable when the system kicks init-script on startup time. > >>> Is there any good idea? > >>> > >>> In the recent days, I'm working for an apache module (mod_selinux.so) which > >>> launches web application handler under an individual security context based > >>> on http-authentication. > >>> I'm looking for the way to assign a few dozens of categories on httpd server > >>> processes which are launched at system startup time. > >>> > >>> Thanks, > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
