Using dyntransition to reduce privileges for Web application
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 21 16:46:53 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/21/2011 01:25 AM, Scott Gifford wrote:
> On Sun, Feb 20, 2011 at 5:54 PM, Scott Gifford
> <sgifford at suspectclass.com <mailto:sgifford at suspectclass.com>> wrote:
> [ ... ]
>
> I think I can automatically generate a unique category set from a
> PID by using two MCS categories to represent each bit of the PID,
> the first for a 0-bit and the second for a 1-bit. That will take 32
> categories for a 16-bit PID, which seems reasonable.
>
>
> OK, I've got this working now, each PID gets a unique set of MCS
> categories, and so HTTPD child processes canot read each other's process
> information.
>
> They do have to share files sometimes, so I designated c0 for that, and
> made sure the processes are always in c0. Now if something should be
> shared, it should remove all groups besides c0, and it will be shareable.
>
> I expected to do this through file mapping in my module's .fc file, like
> this:
>
> /var/www/portal_auth(/.*)?
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)
>
>
> But when new files are created in /var/www/portal_auth, they still have
> all of the PID-specific categories, in addition to c0.
>
> To make this work, I had to grant { setattr relabelfrom relabelto } to
> my Web app and make a call to setxattr to change the category on shared
> files.
>
> That works, but it seems like it would be simpler and more secure to do
> this through file mappings in my modules .fc file.
>
> Is there a mistake in my file context configuration above somewhere? Or
> am I misunderstanding how categories are applied from file context rules?
>
> Thanks for any tips,
>
> ------Scott.
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
When a process running at MCS1 creates a file it will create the file
with the same label MCS1. I am not sure what you are trying to do with
/var/run/portal_auth, does every one of your scripts need to be able to
read/write every file within the directory?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ilv0ACgkQrlYvE4MpobO3kgCeJBWrYErSZrcVBbtSGZQ06+sr
TLsAnA106HyOhEvmed31dCfuO50IzvpK
=GBay
-----END PGP SIGNATURE-----
More information about the selinux
mailing list