Hi all,
I have taken ownership of development on the Fedora 11 SELinux (Managing Confined Services) guide, and am currently trying to build on the descriptions of the purposes, uses and implications of enabling/disabling some of the available Booleans.
I am wondering if anybody can expand or has any comments on this description of the httpd_unified Boolean, as there doesn't seem to be a great deal out there about it.
"This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with a http file context. Leaving it off makes sure that one httpd service can not interfere with another."
Specifically I am interested in what is meant by a service that can not "interfere with another" in the case of http_unified, but any comments which may help me refine the description are more than welcome.
Thank you,
On Tue, 17 Mar 2009 15:33:08 +1000 Scott Radvan sradvan@redhat.com wrote:
Hi all,
I have taken ownership of development on the Fedora 11 SELinux (Managing Confined Services) guide, and am currently trying to build on the descriptions of the purposes, uses and implications of enabling/disabling some of the available Booleans.
I am wondering if anybody can expand or has any comments on this description of the httpd_unified Boolean, as there doesn't seem to be a great deal out there about it.
"This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with a http file context. Leaving it off makes sure that one httpd service can not interfere with another."
Specifically I am interested in what is meant by a service that can not "interfere with another" in the case of http_unified, but any comments which may help me refine the description are more than welcome.
I think this means that say httpd_bugzilla_script_t can't access httpd_sys_* files and httpd_sys_script_t can't access httpd_bugzilla_* files etc.
Paul.
On Tue, 2009-03-17 at 15:33 +1000, Scott Radvan wrote:
"This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with a http file context. Leaving it off makes sure that one httpd service can not interfere with another."
The httpd SELinux policy allows one to confine specific http content to specific domains or sandboxes
If configured properly for example, a user cgi script gets run in a domain specific to user scripts. That domain specific to user content can only manage user content.
For example a user labels his cgi script with the type httpd_user_script_exec_t. Now when apache runs this script, it will domain transition to the httpd_user_script_t domain. This domain can only access content with the httpd user type, for example httpd_user_content_t.
When a sysadm labels a system cgi script with type httpd_sys_script_exec_t, then apache will domain transition to the httpd_sys_script_t domain specific to system scripts. This httpd_sys_script_t domain can only access content with the sys type, for example httpd_sys_content_t.
The httpd SELinux policy allows the operator to define more of these specific domains. It facilitates this with the apache_content_template for example.
So if you have a cgi webapp called myscript, Then you can run this script in its own apache domain. You would for example create a module and call apache_content_template(myscript)
This will create types that you can use to confine you script. httpd_myscript_script_exec_t, httpd_myscript_content_t etc.
Now if you label your script with type httpd_myscript_script_exec_t, apache will domain transition to httpd_myscript_script_exec_t. This domain only has access to files with type httpd_myscript_content_t.
The idea of this model is that the different domains cannot interfere with each other. (escalate their privilege)
If one cgi script is compromised it will not be able to affect another script if that script is running in another domain.
Now about httpd_unified:
All httpd content is assigned an attribute: httpdcontent. So httpd_myscript_content_t is httpdcontent but also httpd_user_content_t is httpdcontent.
httpd_unified allows the processes to escalate to each others content.
instead of a rule like this for example:
allow httpd_myscript_script_t httpd_myscript_content_t:file read;
theres a rule:
allow httpd_myscript_script_t httpdcontent:file read;
Which says:
allow the httpd_myscript_script_t domain to read all files that have the httpdcontent attribute assigned to them.
Which is all httpd content.
So by default you can isolate the different apache content. But if you enable httpd_unified then that isolation is gone. (then everything will just be httpdcontent)
It may be best to just try it.
create two simple hello world web scripts. and create a new domain for each. Then run the scripts in their domain.
later edit the scripts to read some content that is not in their domain. for example let them try to read a file with type httpd_sys_content_t. This should be denied if httpd_unified is disabled.
Then enable httpd_unified and your scripts should be able to read the file with the httpd_sys_content_t type.
Disclaimer: I might have this all wrong. Use this at your own risk.
Specifically I am interested in what is meant by a service that can not "interfere with another" in the case of http_unified, but any comments which may help me refine the description are more than welcome.
privilege escalation.
apache script a cannot access apache script b's files.
Thank you,
hth, Dominick
http_unified means, that all file types for httpd_sys_* are treated the same way.
httpd_sys_content_t httpd_sys_content_rw_t httpd_sys_script_exec_t httpd_sys_content_ra_t
If you turn on this boolean, and you want a script running as httpd_sys_script_t or httpd_t can read/write/execute all http_sys file types.
If you turn it off, the admin is responsible to make sure the labeling is correct on all files. So if httpd_sys_script_t wants to write to a file/directory, it needs to be labeled httpd_sys_content_rw_t.
httpd_sys_script_t can not interact with httpd_(NON sys)_content_t with or without the boolean set.
the httpd_unified boolean does not effect any other httpd_(NON sys)_script_t domains.
selinux@lists.fedoraproject.org