On Mon, Feb 21, 2011 at 2:22 PM, Daniel J Walsh <span dir="ltr">&lt;<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>&gt;</span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

<div class="im"><br>
</div><div class="im">On 02/21/2011 12:37 PM, Scott Gifford wrote:<br></div><div><div class="h5">
&gt; Yes, I am creating categories for my Web server child processes based on<br>
&gt; their PID to stop them from having access to each other&#39;s internal data<br>
&gt; in &quot;/proc&quot; (a variation on your earlier suggestion to &quot;grab random MCS<br>
&gt; labels to separate the processes&quot;), but the files<br>
&gt; in /var/run/portal_auth have session data that all the Web processes<br>
&gt; need access to.<br>
&gt;<br>
&gt; I can keep using setxattr, that seems to work well enough.<br>
&gt;<br>
&gt; But I guess I&#39;m not clear on when and how the category field to<br>
&gt; gen_context in the .fc file is used?<br>
&gt;<br>
</div></div></blockquote><div>[ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The syntax should have been:<br>
<br>
/var/www/portal_auth(/.*)?<br>
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)<br>
<br>
s0:c0 means Security Level s0 with category c0.<br></blockquote><div><br></div><div>When I try that I get this error:</div><div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">

<div class="gmail_quote"><div><div>libsepol.mls_from_string: invalid MLS context s0:s0:c0</div></div></div></blockquote><div class="gmail_quote"><div><br></div><div>Which seems to confirm what the <a href="http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted">Tresys Wiki page GettingStarted</a> says:</div>

<div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">Since the MCS policy has only one sensitivity (s0), this is automatically added by the gen_context() macro, and should not be added by the user.<br>

</blockquote><div><br></div>Any other suggestions for how to get these files labeled with a category automatically?<br><div class="gmail_quote"><div><font class="Apple-style-span" face="verdana, arial, &#39;Bitstream Vera Sans&#39;, helvetica, sans-serif"><br>

</font></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
If you leave the files with no categories s0, then they should be able<br>
to read/write them.<br></blockquote><div><br></div><div>Yeah, true, but I&#39;m not sure how to cause them to have no category either, apart from using setxattr.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">


Moving to categories provides isolation between the scripts, the goal<br>
would be for the scripts to not be able to attack each other, but<br>
allowing them to write to the same files potentially gives them a<br>
mechanism to attack each other.<br></blockquote><div><br></div><div>Definitely true, but the communication is necessary in this case, and the files are easier to understand and control than the process data.  I think it&#39;s a good tradeoff for my application.</div>

<div><br></div><div>Thanks!</div><div><br></div><div>------Scott.</div><div><br></div></div>