On Mon, Feb 21, 2011 at 2:22 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
On 02/21/2011 12:37 PM, Scott Gifford wrote:> Yes, I am creating categories for my Web server child processes based on
> their PID to stop them from having access to each other's internal data
> in "/proc" (a variation on your earlier suggestion to "grab random MCS
> labels to separate the processes"), but the files
> in /var/run/portal_auth have session data that all the Web processes
> need access to.
>
> I can keep using setxattr, that seems to work well enough.
>
> But I guess I'm not clear on when and how the category field to
> gen_context in the .fc file is used?
>
The syntax should have been:
/var/www/portal_auth(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)
s0:c0 means Security Level s0 with category c0.
libsepol.mls_from_string: invalid MLS context s0:s0:c0
Since the MCS policy has only one sensitivity (s0), this is automatically added by the gen_context() macro, and should not be added by the user.
If you leave the files with no categories s0, then they should be able
to read/write them.
Moving to categories provides isolation between the scripts, the goal
would be for the scripts to not be able to attack each other, but
allowing them to write to the same files potentially gives them a
mechanism to attack each other.