Using dyntransition to reduce privileges for Web application

Scott Gifford sgifford at suspectclass.com
Sun Feb 20 22:54:09 UTC 2011


On Sun, Feb 20, 2011 at 4:05 PM, Dominick Grift <domg472 at gmail.com> wrote:

> On 02/20/2011 09:47 PM, Scott Gifford wrote:
> > On Sun, Feb 20, 2011 at 12:02 PM, Dominick Grift <domg472 at gmail.com>
> wrote:
>

[ ... ]


>  >>> from /policy/mcs:
> >>>
> >>> # Note:
> >>> #  - getattr on dirs/files is not constrained.
> >>> #  - /proc/pid operations are not constrained.
> >>>
> >>> so that explains the above
> >>
> >
> > Ah, yes it does, thanks!  I wonder if I can adjust this policy to get
> > different behavior, or if it's hardcoded somewhere outside the policy?
> >
>
> No, not hardcoded. This is just configuration (policy) you can define
> your own constraints, or modify existing ones.
>

OK, I think I've got this.  I removed the "or ( t2 == domain )" from these
rules in policy/mcs:

   -
   - mlsconstrain dir { create getattr setattr read write link unlink rename
   search add_name remove_name reparent rmdir lock ioctl }
   -        (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
   -
   - mlsconstrain file { read }
   -        (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));

 and I seem to be getting the behavior I want.  Anybody see any risks or
downsides to this?

For long-term maintenance, it looks like I can't override this in my own
module, I will need to patch the base policy, maybe by adding another patch
to the serefpolicy-2.4.6 RPM specfile and maintaining this by hand?  Is
there a better way to maintain customizations to the base policy?

I think I can automatically generate a unique category set from a PID by
using two MCS categories to represent each bit of the PID, the first for a
0-bit and the second for a 1-bit.  That will take 32 categories for a 16-bit
PID, which seems reasonable.

Thanks for the help!

-----Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110220/5868bd2d/attachment.html 


More information about the selinux mailing list