Using dyntransition to reduce privileges for Web application
Scott Gifford
sgifford at suspectclass.com
Sun Feb 20 22:54:09 UTC 2011
On Sun, Feb 20, 2011 at 4:05 PM, Dominick Grift <domg472 at gmail.com> wrote:
> On 02/20/2011 09:47 PM, Scott Gifford wrote:
> > On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472 at gmail.com>
> wrote:
>
[ ... ]
> >>> from /policy/mcs:
> >>>
> >>> # Note:
> >>> # - getattr on dirs/files is not constrained.
> >>> # - /proc/pid operations are not constrained.
> >>>
> >>> so that explains the above
> >>
> >
> > Ah, yes it does, thanks! I wonder if I can adjust this policy to get
> > different behavior, or if it's hardcoded somewhere outside the policy?
> >
>
> No, not hardcoded. This is just configuration (policy) you can define
> your own constraints, or modify existing ones.
>
OK, I think I've got this. I removed the "or ( t2 == domain )" from these
rules in policy/mcs:
-
- mlsconstrain dir { create getattr setattr read write link unlink rename
search add_name remove_name reparent rmdir lock ioctl }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
- mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
and I seem to be getting the behavior I want. Anybody see any risks or
downsides to this?
For long-term maintenance, it looks like I can't override this in my own
module, I will need to patch the base policy, maybe by adding another patch
to the serefpolicy-2.4.6 RPM specfile and maintaining this by hand? Is
there a better way to maintain customizations to the base policy?
I think I can automatically generate a unique category set from a PID by
using two MCS categories to represent each bit of the PID, the first for a
0-bit and the second for a 1-bit. That will take 32 categories for a 16-bit
PID, which seems reasonable.
Thanks for the help!
-----Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110220/5868bd2d/attachment.html
More information about the selinux
mailing list