2011/4/15 David Quigley <dpquigl@xxxxxxxxxxxxxxx>: > Are there any good examples out there of locking down a webapp's access to a > database using SEPostGreSQL and some web language like Ruby on Rails? I > looked at Kaigai's and the SELinux Notebook examples for sepgsql policy and > it seems to use the types in reference policy instead of creating new types > for objects and only provides separation through MCS. It would be nice to go > over either an indepth example that uses different types from reference > policy or maybe showcases locking down a specific application. > One matter is that we need to describe TE policy for web applications from the scratch, because we don't have a template suitable for them. The mod_selinux package provides the following interface to allow a set of basic permissions to perform the supplied domain bounded to httpd_t domain. http://code.google.com/p/sepgsql/source/browse/trunk/mod_selinux/mod_selinux.if However, I face to burden of its maintenance day-by-day. If apache.if provides a few template to define web application domains, I believe we may provide various scenario using TE rules, rather than MCS. Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
