Dear all ,
I have been trying to test and see how SELinux MLS works with Apache , this is what I did to test
1) As we're aware if we start apache process as the default SELinux user (i.e: Just as root user) , it will obtain a security context which has all the range of sensitivities and categories (i.e : s0-s15 , C0-C1023)
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:s0-s15:c0.c1023
system_u:system_r:sshd_t:s0-s15:c0.c1023
[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:s0-s15:c0.c1023 root 29161 0.0 0.4 262888 9248 ? Ss 00:16 0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:s0-s15:c0.c1023 apache 29164 0.0 0.2 262888 5264 ? S 00:16 0:00 /usr/sbin/httpd
2) Then what I did was stop apache and then Switch to a new SELinux role (s4-s5:c1,c2) and start Apache process as follows , apache will also get the same security contexts as the User ( s4-s5:c1,c2 )
[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:
Password:
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
system_u:system_r:sshd_t:s4-s5:c1,c2
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
[root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
system_u:system_r:sshd_t:s4-s5:c1,c2 root 29220 0.0 0.4 262888 9244 ? Ss 00:18 0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:s4-s5:c1,c2 apache 29223 0.0 0.2 262888 5264 ? S 00:18 0:00 /usr/sbin/httpd
3) And now I created a file 'info.php' under /var/www/html , and then i changed the security context of this file as follows
touch /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php
4) Now that we know the apache process is running in s4-s5:c1,c2 security context and the file /var/www/html/info.php has s0:c3 context , then apache process shouldn't be able to read the /var/www/html/info.php file as c3 isn't read into c1,c2 apache process according to the Bell Lapadula model which is the security policy in SELinux MLS , but however when i run a curl on the apache process , it produces an output (Which shows the php version and stuff)
!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
pre {margin: 0px; font-family: monospace;}
a:link {color: #000099; text-decoration: none; background-color: #ffffff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse;}
.center {text-align: center;}
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
pre {margin: 0px; font-family: monospace;}
a:link {color: #000099; text-decoration: none; background-color: #ffffff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse;}
.center {text-align: center;}
5) What i need to understand is am I testing this wrong ? When I run curl command I run it as the same user in which switched roles to (i.e : s4-s5:c1,c2) , so still c3 isn't read into c1,c2 . But I still get an output for the curl .
What I am trying to achieve is show that Apache process will not be able to read the file /var/www/html/info.php according to the Bell Lapadula model , have i missed any step in here ? Awaiting your kind guidance and inputs . Thank you
Regards
Mario Roshane Ishara Fernando
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
