Using dyntransition to reduce privileges for Web application
Dominick Grift
domg472 at gmail.com
Sun Feb 20 16:59:47 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2011 06:31 AM, Scott Gifford wrote:
> On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford
> <sgifford at suspectclass.com>wrote:
>
>> On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> [ ... ]
>>
>>> > Third, since my main goal here is to prevent processes from interacting
>>> with
>>>> each other inappropriately, I would like to prevent each HTTP worker
>>> from
>>>> reading any information from "/proc" for other HTTP workers. Currently
>>> they
>>>> are allowed to do this, because they all run in the same domain. Is
>>> there
>>>> any way to prevent this?
>>>>
>>>
>>> libvirt and sandbox use MCS separation for this. Basically they grab
>>> random MCS labels to separate the processes. I would suggest using two
>>> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
>>>
>>> s0:c1,c43
>>> s0:c2,c43
>>>
>>> Is fine.
>>>
>>> s0:c1,c1 is not
>>>
>>> Then just set that context and you should get separation. if you need
>>> the processes to handle data it might get a little more complicated.
>>>
>>
>> Thanks! I think I will need to learn a little more about this feature
>> before I can use it. I will need a way to generate a unique category number
>> (maybe from the PID?), and the processes will need to handle some shared
>> data and code, so I will need to figure that out as well.
>>
>
> OK, so I have started experimenting with this, but /proc is not behaving how
> I expect so far.
>
> So I open up two shells. In the first I run:
>
> runcon -l s0-s0:c0,c1 bash
>
>
> and in the second:
>
> runcon -l s0-s0:c0,c2 bash
>
>
> So both should have access to c1, but only the first will have access to c1
> and only the second will have access to c2.
s0-s0:c0,c2 should not have access to c1
but
s0-s0:c0,c2 should
> When I try this on files, it works:
>
> shell1$ *id -Z*
> user_u:system_r:unconfined_t:-s0:c0,c1
> shell1$ *ls -lZ test.c1 test.c2*
> -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1
> -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2
> shell1$ *head -1 test.c1 test.c2*
> ==> test.c1 <==
> Category 1
> head: cannot open `test.c2' for reading: Permission denied
>
>
> But on /proc files it does not:
>
> shell1$ *id -Z*
> user_u:system_r:unconfined_t:-s0:c0,c1
> shell1$ *ls -lZ /proc/10961/maps*
> -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
> /proc/10961/maps
> shell1$ *head -1 /proc/10961/maps*
> 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
from /policy/mcs:
# Note:
# - getattr on dirs/files is not constrained.
# - /proc/pid operations are not constrained.
so that explains the above
>
> That is, even though "ls -lZ" indicates that the maps file for PID 10961
> requires c2 and my shell does not have c2, still I am allowed to read this
> file.
>
> I must be misunderstanding something here. Any thoughts or hints?
>
> Thanks!
>
> -----Scott.
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1hSIMACgkQMlxVo39jgT/QQwCdHdLejp+yQNogRF/3v7AcxjX8
Mj8AnirFnUpfJqXVJOHsCZb37o3rtYU6
=DEMM
-----END PGP SIGNATURE-----
More information about the selinux
mailing list