On 11/6/18 9:33 AM, Ishara Fernando wrote:
Dear all ,
I have been trying to test and see how SELinux MLS works with Apache ,
this is what I did to test
*1) As we're aware if we start apache process as the default SELinux
user (i.e: Just as root user) , it will obtain a security context which
has all the range of sensitivities and categories (i.e : s0-s15 ,
C0-C1023) *
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s0-s15:c0.c1023*
[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0 0.4 262888
9248 ? Ss 00:16 0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0 0.2 262888
5264 ? S 00:16 0:00 /usr/sbin/httpd
*2) Then what I did was stop apache and then Switch to a new SELinux
role (s4-s5:c1,c2) and start Apache process as follows , apache will
also get the same security contexts as the User ( s4-s5:c1,c2 ) *
[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:
[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s4-s5:c1,c2
*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start
[root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0 0.4 262888 9244
? Ss 00:18 0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0 0.2 262888 5264
? S 00:18 0:00 /usr/sbin/httpd
*3) And now I created a file 'info.php' under /var/www/html , and then i
changed the security context of this file as follows
*
touch /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php
*4) Now that we know the apache process is running in s4-s5:c1,c2
security context and the file /var/www/html/info.php has s0:c3 context ,
then apache process shouldn't be able to read the /var/www/html/info.php
file as c3 isn't read into c1,c2 apache process according to the Bell
Lapadula model which is the security policy in SELinux MLS , but however
when i run a curl on the apache process , it produces an output (Which
shows the php version and stuff)
*
*curl http://localhost/info.php*
!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
pre {margin: 0px; font-family: monospace;}
a:link {color: #000099; text-decoration: none; background-color: #ffffff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse;}
.center {text-align: center;}
5) What i need to understand is am I testing this wrong ? When I run
curl command I run it as the same user in which switched roles to (i.e :
s4-s5:c1,c2) , so still c3 isn't read into c1,c2 . But I still get an
output for the curl .
What I am trying to achieve is show that Apache process will not be able
to read the file /var/www/html/info.php according to the Bell Lapadula
model , have i missed any step in here ? Awaiting your kind guidance and
inputs . Thank you
First, note that selinux@xxxxxxxxxxxxx has moved to
selinux@xxxxxxxxxxxxxxx. The old list still exists but will eventually
be shut down sometime. I have cc'd the new list above.
Second, it would help if you provided information about your
distribution, release, policy package, etc. sestatus -v output would
also be helpful.
Third, your httpd processes are running in the wrong domain (sshd_t vs
httpd_t), which indicates something else is wrong with your
configuration / set up. And sshd_t appears to be allowed mlsfileread in
the Fedora -mls policy, so it is exempted from MLS constraints on file
reading, which would explain the behavior you are seeing.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
