Using dyntransition to reduce privileges for Web application

Scott Gifford sgifford at suspectclass.com
Mon Feb 21 17:37:20 UTC 2011


On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> On 02/21/2011 01:25 AM, Scott Gifford wrote:
>
 [ ... ]

>
> > They do have to share files sometimes, so I designated c0 for that, and
> > made sure the processes are always in c0.  Now if something should be
> > shared, it should remove all groups besides c0, and it will be shareable.
> >
> > I expected to do this through file mapping in my module's .fc file, like
> > this:
> >
> >     /var/www/portal_auth(/.*)?
> >     gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)
> >
> >
> > But when new files are created in /var/www/portal_auth, they still have
> > all of the PID-specific categories, in addition to c0.
> >
> > To make this work, I had to grant { setattr relabelfrom relabelto } to
> > my Web app and make a call to setxattr to change the category on shared
> > files.
> >
> > That works, but it seems like it would be simpler and more secure to do
> > this through file mappings in my modules .fc file.
> [ ... ]
>
When a process running at MCS1 creates a file it will create the file
> with the same label MCS1.  I am not sure what you are trying to do with
> /var/run/portal_auth, does every one of your scripts need to be able to
> read/write every file within the directory?
>

Yes, I am creating categories for my Web server child processes based on
their PID to stop them from having access to each other's internal data in
"/proc" (a variation on your earlier suggestion to "grab random MCS labels
to separate the processes"), but the files in /var/run/portal_auth have
session data that all the Web processes need access to.

I can keep using setxattr, that seems to work well enough.

But I guess I'm not clear on when and how the category field to gen_context
in the .fc file is used?

Thanks,

------Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110221/afd7daad/attachment.html 


More information about the selinux mailing list