-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/21/2011 12:37 PM, Scott Gifford wrote:
On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh
<dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
On 02/21/2011 01:25 AM, Scott Gifford wrote:
[ ... ]
> They do have to share files sometimes, so I designated c0 for
that, and
> made sure the processes are always in c0. Now if something should be
> shared, it should remove all groups besides c0, and it will be
shareable.
>
> I expected to do this through file mapping in my module's .fc
file, like
> this:
>
> /var/www/portal_auth(/.*)?
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)
>
>
> But when new files are created in /var/www/portal_auth, they still
have
> all of the PID-specific categories, in addition to c0.
>
> To make this work, I had to grant { setattr relabelfrom relabelto } to
> my Web app and make a call to setxattr to change the category on
shared
> files.
>
> That works, but it seems like it would be simpler and more secure
to do
> this through file mappings in my modules .fc file.
[ ... ]
When a process running at MCS1 creates a file it will create the file
with the same label MCS1. I am not sure what you are trying to do with
/var/run/portal_auth, does every one of your scripts need to be able to
read/write every file within the directory?
Yes, I am creating categories for my Web server child processes based on
their PID to stop them from having access to each other's internal data
in "/proc" (a variation on your earlier suggestion to "grab random MCS
labels to separate the processes"), but the files
in /var/run/portal_auth have session data that all the Web processes
need access to.
I can keep using setxattr, that seems to work well enough.
But I guess I'm not clear on when and how the category field to
gen_context in the .fc file is used?
Thanks,
------Scott.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
The syntax should have been:
/var/www/portal_auth(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)
s0:c0 means Security Level s0 with category c0.
If you leave the files with no categories s0, then they should be able
to read/write them.
Moving to categories provides isolation between the scripts, the goal
would be for the scripts to not be able to attack each other, but
allowing them to write to the same files potentially gives them a
mechanism to attack each other.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk1iu3IACgkQrlYvE4MpobNmxQCdG5NhW01mQEumYlhwJHzdhzNK
31wAniO2XRv75o7LfvdPmEBIKOLS/+hq
=r+58
-----END PGP SIGNATURE-----