On May 18, 2009, at 3:31 AM, KaiGai Kohei wrote:
Joe Nall wrote:
On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:
Are anyone interested in the daemon process with mcs categories?
My proposition tries to cover general daemon processes, but my
major concern is apache/httpd performing without any categories.
If we focus on the apache/httpd, we can add the following policy
within the mod_selinux.pp, and it enables to run httpd_t with
mcs categories.
optional_policy(`
init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 -
mcs_systemhigh)
')
The mod_selinux.so is an apache/httpd module which enables to
change its own security context prior to launching contents
handler. We can set up the module to drop all the categories
for unauthorized http clients, and rest of requests to perform
with appropriate categories.
The above rule will be available only when mod_selinux is installed.
I don't think it gives any impact for existing stuffs.
Any comments?
FWIW, we run apache 1.3 out of xinetd at multiple contexts using
labeled
networking. HTTP performance is surprisingly good. HTTPS
performance is
unacceptable, so we are using an HTTPS reverse proxy in a DMZ for
single
level network services to the 'enterprise'.
Are you saying that xinetd can launch multiple apache/httpd daemon
processes
with individual security context?
Yes
If so, unfortunatelly, it is different from
what I would like to achieve. :(
I guess the security context of the daemon process is determined
prior to
receiving http-requests come from users, but the security context to
be
assigned on web application depends on the authentication-header
within
the http-request-headers, so we cannot know who connected to on
xinetd time.
We are basing the context on the context of the connecting user,
delivered by either netlabel or labeled IPSec. We are not changing
context based on apache user authentication.
Or, are we talking about topics in different layer?
Sounds like it. Just wanted to point out that you might not need to
trust apache to achieve some of your goals.
joe
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
