Using dyntransition to reduce privileges for Web application

Daniel J Walsh dwalsh at redhat.com
Mon Feb 21 19:22:26 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 12:37 PM, Scott Gifford wrote:
> On Mon, Feb 21, 2011 at 11:46 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
> 
>     On 02/21/2011 01:25 AM, Scott Gifford wrote:
> 
>  [ ... ] 
> 
> 
>     > They do have to share files sometimes, so I designated c0 for
>     that, and
>     > made sure the processes are always in c0.  Now if something should be
>     > shared, it should remove all groups besides c0, and it will be
>     shareable.
>     >
>     > I expected to do this through file mapping in my module's .fc
>     file, like
>     > this:
>     >
>     >     /var/www/portal_auth(/.*)?
>     >     gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,c0)
>     >
>     >
>     > But when new files are created in /var/www/portal_auth, they still
>     have
>     > all of the PID-specific categories, in addition to c0.
>     >
>     > To make this work, I had to grant { setattr relabelfrom relabelto } to
>     > my Web app and make a call to setxattr to change the category on
>     shared
>     > files.
>     >
>     > That works, but it seems like it would be simpler and more secure
>     to do
>     > this through file mappings in my modules .fc file.
>     [ ... ]
> 
>     When a process running at MCS1 creates a file it will create the file
>     with the same label MCS1.  I am not sure what you are trying to do with
>     /var/run/portal_auth, does every one of your scripts need to be able to
>     read/write every file within the directory?
> 
> 
> Yes, I am creating categories for my Web server child processes based on
> their PID to stop them from having access to each other's internal data
> in "/proc" (a variation on your earlier suggestion to "grab random MCS
> labels to separate the processes"), but the files
> in /var/run/portal_auth have session data that all the Web processes
> need access to.
> 
> I can keep using setxattr, that seems to work well enough.
> 
> But I guess I'm not clear on when and how the category field to
> gen_context in the .fc file is used?
> 
> Thanks,
> 
> ------Scott.
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

The syntax should have been:

/var/www/portal_auth(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)

s0:c0 means Security Level s0 with category c0.

If you leave the files with no categories s0, then they should be able
to read/write them.

Moving to categories provides isolation between the scripts, the goal
would be for the scripts to not be able to attack each other, but
allowing them to write to the same files potentially gives them a
mechanism to attack each other.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1iu3IACgkQrlYvE4MpobNmxQCdG5NhW01mQEumYlhwJHzdhzNK
31wAniO2XRv75o7LfvdPmEBIKOLS/+hq
=r+58
-----END PGP SIGNATURE-----


More information about the selinux mailing list