Using dyntransition to reduce privileges for Web application

Dominick Grift domg472 at gmail.com
Sun Feb 20 21:05:01 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2011 09:47 PM, Scott Gifford wrote:
> On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472 at gmail.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/20/2011 05:59 PM, Dominick Grift wrote:
>>> On 02/20/2011 06:31 AM, Scott Gifford wrote:
>>
>  [ ... ]
> 
>>>> OK, so I have started experimenting with this, but /proc is not behaving
>> how
>>>> I expect so far.
>>>
>>>> So I open up two shells.  In the first I run:
>>>
>>>> runcon -l s0-s0:c0,c1 bash
>>>
>>>
>>>> and in the second:
>>>
>>>> runcon -l s0-s0:c0,c2 bash
>>>
>>>
>>>> So both should have access to c1, but only the first will have access to
>> c1
>>>> and only the second will have access to c2.
>>
> 
> Above I meant to say "both should have access to c0".
> [ ... ]
> 
>>>> shell1$ *id -Z*
>>>> user_u:system_r:unconfined_t:-s0:c0,c1
>>>> shell1$ *ls -lZ /proc/10961/maps*
>>>> -r--r--r--  sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2
>>>> /proc/10961/maps
>>>> shell1$ *head -1 /proc/10961/maps*
>>>> 002ac000-002ad000 r-xp 002ac000 00:00 0          [vdso]
>>>
>>> from /policy/mcs:
>>>
>>> # Note:
>>> #  - getattr on dirs/files is not constrained.
>>> #  - /proc/pid operations are not constrained.
>>>
>>> so that explains the above
>>
> 
> Ah, yes it does, thanks!  I wonder if I can adjust this policy to get
> different behavior, or if it's hardcoded somewhere outside the policy?
> 

No, not hardcoded. This is just configuration (policy) you can define
your own constraints, or modify existing ones.

> -------Scott.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1hgf0ACgkQMlxVo39jgT/q8QCg1l/KxwnLWlLQYig14ZAzJmwN
IXgAn1s8ziGtYEePGFlb7r8tX2CrTuvM
=Kr3/
-----END PGP SIGNATURE-----


More information about the selinux mailing list