Using dyntransition to reduce privileges for Web application

Scott Gifford sgifford at suspectclass.com
Tue Feb 22 03:19:17 UTC 2011


On Mon, Feb 21, 2011 at 2:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>
> On 02/21/2011 12:37 PM, Scott Gifford wrote:
> > Yes, I am creating categories for my Web server child processes based on
> > their PID to stop them from having access to each other's internal data
> > in "/proc" (a variation on your earlier suggestion to "grab random MCS
> > labels to separate the processes"), but the files
> > in /var/run/portal_auth have session data that all the Web processes
> > need access to.
> >
> > I can keep using setxattr, that seems to work well enough.
> >
> > But I guess I'm not clear on when and how the category field to
> > gen_context in the .fc file is used?
> >
>
[ ... ]

> The syntax should have been:
>
> /var/www/portal_auth(/.*)?
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0,s0:c0)
>
> s0:c0 means Security Level s0 with category c0.
>

When I try that I get this error:

libsepol.mls_from_string: invalid MLS context s0:s0:c0


Which seems to confirm what the Tresys Wiki page
GettingStarted<http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted>says:

Since the MCS policy has only one sensitivity (s0), this is automatically
added by the gen_context() macro, and should not be added by the user.


Any other suggestions for how to get these files labeled with a category
automatically?

 If you leave the files with no categories s0, then they should be able
> to read/write them.
>

Yeah, true, but I'm not sure how to cause them to have no category either,
apart from using setxattr.


> Moving to categories provides isolation between the scripts, the goal
> would be for the scripts to not be able to attack each other, but
> allowing them to write to the same files potentially gives them a
> mechanism to attack each other.
>

Definitely true, but the communication is necessary in this case, and the
files are easier to understand and control than the process data.  I think
it's a good tradeoff for my application.

Thanks!

------Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110221/11ca6253/attachment.html 


More information about the selinux mailing list