On Thu, Feb 19, 2015 at 12:17:21PM -0800, Tracy Reed wrote: > On Thu, Feb 19, 2015 at 11:46:18AM PST, Stephen Smalley spake thusly: > > Domains with those attributes can override the corresponding MCS > > constraint. Depending on version, seinfo --constrain will dump the > > actual constraints for you. In any event, I suspect you need to assign > > the mcsuntrustedproc attribute to your web application domains if you > > want them to be constrained by MCS at all, plus you'd need to run them > > with specific category sets. > > How do I assign mcsuntrustedproc attribute to my web application domain? I know > how to set booleans, categories, etc. but have not yet encountered needing to > set an attribute for a domain. Google for "set selinux attribute" turns up > stuff about setting user, role, type etc. as attributes but nothing about > setting attributes such as mcsuntrustedproc. I actually have it documented in a set of youtube video's on my "domg4721" channel extensively (like many other SELinux topics) I encountered it both with mod_selinux, as well as just manually associating compartments with webapps by just using runcon in a web script that runs other scripts (not something i would ever do in a production environment but just a proof of concept). In my view mcs is generally overkill unless you have many process to compartmentalize. In theory you can also use existing security attributes like for example the identity security attribute, it's there so might as well use that. Or if you have just a few processes to compartmentalize then just use type enforcement. No need to have a mls policy for that. When things get big though with tens or hundreds of compartmentalized processes then MCS comes in handy. > > -- > Tracy Reed > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgp1vJ1WWVRCN.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
