Using dyntransition to reduce privileges for Web application
Scott Gifford
sgifford at suspectclass.com
Tue Feb 22 03:19:17 UTC 2011
On Mon, Feb 21, 2011 at 2:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 02/21/2011 12:37 PM, Scott Gifford wrote:
> > Yes, I am creating categories for my Web server child processes based on
> > their PID to stop them from having access to each other's internal data
> > in "/proc" (a variation on your earlier suggestion to "grab random MCS
> > labels to separate the processes"), but the files
> > in /var/run/portal_auth have session data that all the Web processes
> > need access to.
> >
> > I can keep using setxattr, that seems to work well enough.
> >
> > But I guess I'm not clear on when and how the category field to
> > gen_context in the .fc file is used?
> >
>
[ ... ]
> The syntax should have been:
>
> /var/www/portal_auth(/.*)?
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)
>
> s0:c0 means Security Level s0 with category c0.
>
When I try that I get this error:
libsepol.mls_from_string: invalid MLS context s0:s0:c0
Which seems to confirm what the Tresys Wiki page
GettingStarted<http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted>says:
Since the MCS policy has only one sensitivity (s0), this is automatically
added by the gen_context() macro, and should not be added by the user.
Any other suggestions for how to get these files labeled with a category
automatically?
If you leave the files with no categories s0, then they should be able
> to read/write them.
>
Yeah, true, but I'm not sure how to cause them to have no category either,
apart from using setxattr.
> Moving to categories provides isolation between the scripts, the goal
> would be for the scripts to not be able to attack each other, but
> allowing them to write to the same files potentially gives them a
> mechanism to attack each other.
>
Definitely true, but the communication is necessary in this case, and the
files are easier to understand and control than the process data. I think
it's a good tradeoff for my application.
Thanks!
------Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110221/11ca6253/attachment.html
More information about the selinux
mailing list