Using dyntransition to reduce privileges for Web application

Dominick Grift domg472 at gmail.com
Sun Feb 20 17:02:02 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2011 05:59 PM, Dominick Grift wrote:
> On 02/20/2011 06:31 AM, Scott Gifford wrote:
>> On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford
>> <sgifford at suspectclass.com>wrote:
> 
>>> On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>> [ ... ]
>>>
>>>>  > Third, since my main goal here is to prevent processes from interacting
>>>> with
>>>>> each other inappropriately, I would like to prevent each HTTP worker
>>>> from
>>>>> reading any information from "/proc" for other HTTP workers.  Currently
>>>> they
>>>>> are allowed to do this, because they all run in the same domain.  Is
>>>> there
>>>>> any way to prevent this?
>>>>>
>>>>
>>>> libvirt and sandbox use MCS separation for this.  Basically they grab
>>>> random MCS labels to separate the processes.  I would suggest using two
>>>> Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
>>>>
>>>> s0:c1,c43
>>>> s0:c2,c43
>>>>
>>>> Is fine.
>>>>
>>>> s0:c1,c1 is not
>>>>
>>>> Then just set that context and you should get separation. if you need
>>>> the processes to handle data it might get a little more complicated.
>>>>
>>>
>>> Thanks!  I think I will need to learn a little more about this feature
>>> before I can use it.  I will need a way to generate a unique category number
>>> (maybe from the PID?), and the processes will need to handle some shared
>>> data and code, so I will need to figure that out as well.
>>>
> 
>> OK, so I have started experimenting with this, but /proc is not behaving how
>> I expect so far.
> 
>> So I open up two shells.  In the first I run:
> 
>> runcon -l s0-s0:c0,c1 bash
> 
> 
>> and in the second:
> 
>> runcon -l s0-s0:c0,c2 bash
> 
> 
>> So both should have access to c1, but only the first will have access to c1
>> and only the second will have access to c2.
> 
> s0-s0:c0,c2 should not have access to c1
> 
> but
> 
> s0-s0:c0,c2 should

Err.. i meant: s0-s0:c0.c2 should

. signals a range (so c0.c2 means c0, c1 and c2).
, is just a seperator (so c0,c2 mean c0 and c2).

>> When I try this on files, it works:
> 
>> shell1$ *id -Z*
>> user_u:system_r:unconfined_t:-s0:c0,c1
>> shell1$ *ls -lZ test.c1 test.c2*
>> -rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1
>> -rw-rw-r--  sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2
>> shell1$ *head -1 test.c1 test.c2*
>> ==> test.c1 <==
>> Category 1
>> head: cannot open `test.c2' for reading: Permission denied
> 
> 
>> But on /proc files it does not:
> 
>> shell1$ *id -Z*
>> user_u:system_r:unconfined_t:-s0:c0,c1
>> shell1$ *ls -lZ /proc/10961/maps*
>> -r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
>> /proc/10961/maps
>> shell1$ *head -1 /proc/10961/maps*
>> 002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]
> 
> from /policy/mcs:
> 
> # Note:
> #  - getattr on dirs/files is not constrained.
> #  - /proc/pid operations are not constrained.
> 
> so that explains the above
> 
> 
>> That is, even though "ls -lZ" indicates that the maps file for PID 10961
>> requires c2 and my shell does not have c2, still I am allowed to read this
>> file.
> 
>> I must be misunderstanding something here.  Any thoughts or hints?
> 
>> Thanks!
> 
>> -----Scott.
> 
> 
> 
> 
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1hSQoACgkQMlxVo39jgT8hFACg0yD7KWKAUavfeSC/hgrH6P0I
Iz0An1Y72Y4G86YnP8GH13c4mUY7MVyH
=RSqJ
-----END PGP SIGNATURE-----


More information about the selinux mailing list