Re: policy question

[Tom <tom@lemuria.org>]

On Thu, Apr 18, 2002 at 06:08:28PM +0200, Russell Coker wrote:
> > In essence, it boils down to: "a script (php, cgi, whatever) that
> > belongs to user X can only access files of user X"
> 
> Doing it for cgi is easy enough.  I could easily hack something up if the NSA 
> people don't release the MITRE code.

I guess so. The cgi gets executed in a new process, at which time a
domain transition is trivial to set up. I guess I can do that myself as
a learning excercise.


> > The sole problem being that the scripts aren't executed in the
> > unix-sense of execution, but by being loaded and interpreted by the
> > apache process.
> 
> Which means that they can't be given a different UID and therefore they can't 
> be given a different domain because domain transition can only occur at exec 
> time (just like for SUID programs).

If that is so, then my question is answered. Is execution really the
only point for a domain transition? That would make sense, but I also
see reasons for doing transitions during other file access operations
(e.g. maybe you want to get a higher protection level while certain
files are open).


> The concept you have is wrong, nothing will make domain transitions on module 
> load work.

Not on module load. The PHP module is loaded when apache starts. I want
to make a domain transition when it accesses a file. Here's a simple
flowchart:


* HTTP request incoming
* Apache main process hands request to a child or forks a new one
* Child parses request, finds URL, does URL to filename translation
* Child opens file
==> domain transition
* File is found to be a php file and is handled by the PHP module
* PHP module opens files, reads, writes, whatever
* Output sent to client
* Socket close
==> transition back to original domain


I see that this may not be possible with the current SELinux code. I'm
trying to point out that it may be useful. PHP is not the only thing
coming to mind.


Maybe apache can initiate the domain transition itself? A singular
patch in the URL parsing instance ("read target file's domain and make a
transition to it") should be feasable. As you pointed out, this would
be similiar to what suexec does.


Again, it may still be that I have a gross misunderstanding of what is
possible and what not and how things work. If so, please point my
errors out.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org>
     Key fingerprint = 276B B7BB E4D8 FCCE DB8F  F965 310B 811A D88D 35A6

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.