Using dyntransition to reduce privileges for Web application

Scott Gifford sgifford at suspectclass.com
Sun Feb 20 05:31:47 UTC 2011


On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford
<sgifford at suspectclass.com>wrote:

> On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> [ ... ]
>
>>  > Third, since my main goal here is to prevent processes from interacting
>> with
>> > each other inappropriately, I would like to prevent each HTTP worker
>> from
>> > reading any information from "/proc" for other HTTP workers.  Currently
>> they
>> > are allowed to do this, because they all run in the same domain.  Is
>> there
>> > any way to prevent this?
>> >
>>
>> libvirt and sandbox use MCS separation for this.  Basically they grab
>> random MCS labels to separate the processes.  I would suggest using two
>> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
>>
>> s0:c1,c43
>> s0:c2,c43
>>
>> Is fine.
>>
>> s0:c1,c1 is not
>>
>> Then just set that context and you should get separation. if you need
>> the processes to handle data it might get a little more complicated.
>>
>
> Thanks!  I think I will need to learn a little more about this feature
> before I can use it.  I will need a way to generate a unique category number
> (maybe from the PID?), and the processes will need to handle some shared
> data and code, so I will need to figure that out as well.
>

OK, so I have started experimenting with this, but /proc is not behaving how
I expect so far.

So I open up two shells.  In the first I run:

runcon -l s0-s0:c0,c1 bash


and in the second:

runcon -l s0-s0:c0,c2 bash


So both should have access to c1, but only the first will have access to c1
and only the second will have access to c2.

When I try this on files, it works:

shell1$ *id -Z*
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ *ls -lZ test.c1 test.c2*
-rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1
-rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2
shell1$ *head -1 test.c1 test.c2*
==> test.c1 <==
Category 1
head: cannot open `test.c2' for reading: Permission denied


But on /proc files it does not:

shell1$ *id -Z*
user_u:system_r:unconfined_t:-s0:c0,c1
shell1$ *ls -lZ /proc/10961/maps*
-r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
/proc/10961/maps
shell1$ *head -1 /proc/10961/maps*
002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]


That is, even though "ls -lZ" indicates that the maps file for PID 10961
requires c2 and my shell does not have c2, still I am allowed to read this
file.

I must be misunderstanding something here.  Any thoughts or hints?

Thanks!

-----Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110220/77ba15ee/attachment.html 


More information about the selinux mailing list