writing rules to disallow a domain to read particular files

writing rules to disallow a domain to read particular files

[Jaspreet Singh]

Hi,

can someone help me with writing policy rules such that -

A domain (say apache_d) cannot access files beyond a directory
/home/jaspreet/

any clues ???

Also if anyone could explain the behavior of "newrole" how can that be
used here.

Jaspreet


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Colin Walters]

On Sat, 2004-10-16 at 20:51 +0530, Jaspreet Singh wrote:
> Hi,
> 
> can someone help me with writing policy rules such that -
> 
> A domain (say apache_d) cannot access files beyond a directory
> /home/jaspreet/

Look at the label on /home/jaspreet.  It should be user_home_dir_t.  The
labels on contained files are user_home_t.  If you allow httpd_t access
to user_home_dir_t, but not user_home_t, that should achieve your goal.

What is your higher level goal though?

> Also if anyone could explain the behavior of "newrole" how can that be
> used here.

It's not really relevant to your previous problem.  Do you have a
specific question about newrole?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Jaspreet Singh]

Hi, 

Thanx for the mails ...

> 
> Look at the label on /home/jaspreet.  It should be user_home_dir_t.  The
> labels on contained files are user_home_t.  If you allow httpd_t access
> to user_home_dir_t, but not user_home_t, that should achieve your goal.
> 

I have already followed this approach to achieve the target (i.e not
giving the access to a particular file/dir type to the domain )

What I want is something more generic and sophisticated. 

> What is your higher level goal though?

The higher goal is to support (site) virtualization e.g.

apart from /home/users I want to have /home/virtual/siteNum/home/users

and now based on the access writes of users of a particular site I want
them to access services like apache. so that apache cant access
/home/virtual/siteNum/home/users/public_html/files.html

One approach is definitely to simply tag the files as
"siteNum_virtual_home_t" and the allow/disallow apache to read them for
that matter simply tag them with unlabled_t to deny access by any
service.

But, this would be computationally more complex to something like a role
based approach. For example this could be achieved in DAC manipulating
group permissions i.e all the site users availing a particular service
become part of the "service group" and then this group has group rwxd
permissions for the service specific files.

I don't want to tamper the file permissions coz something like sendmail
would never like it :-(

> 
> It's not really relevant to your previous problem.  Do you have a
> specific question about newrole?
> 

Now, I know only login method can assign roles , so what about the
non-login sessions ???

and one more thing which came to my mind was (may be irrelevent to the
context) ... What if I "mount  --bind" contents of a directory to
multiple places and give different file tags to the different mount
points .. will the selinux system work properly in this scenario ( coz
it wont in case of LIDS which rely upon ACLs)

Sorry for any confusions .. created by this mail ;-)
Jaspreet Singh

-- 
:: don't walk as if you own the world 
	 walk as if you dont damn who owns it ::

Jaspreet Singh,
Software Engineer,
Ensim India.

Ph # +91 9890712226



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Luke Kenneth Casson Leighton]

On Sun, Oct 17, 2004 at 06:24:20PM +0530, Jaspreet Singh wrote:
> Hi, 
> 
> Thanx for the mails ...
> 
> > 
> > Look at the label on /home/jaspreet.  It should be user_home_dir_t.  The
> > labels on contained files are user_home_t.  If you allow httpd_t access
> > to user_home_dir_t, but not user_home_t, that should achieve your goal.
> > 
> 
> I have already followed this approach to achieve the target (i.e not
> giving the access to a particular file/dir type to the domain )
> 
> What I want is something more generic and sophisticated. 
> 
> > What is your higher level goal though?
> 
> The higher goal is to support (site) virtualization e.g.
> 
> apart from /home/users I want to have /home/virtual/siteNum/home/users
 
 okay, one way to achieve that is to use the
 macro apache_domain(virtual_$1) say by adding it to
 macros/base_macros.te at the same point where apache_domain($1)
 is used.

 plus adding 

> and now based on the access writes of users of a particular site I want
> them to access services like apache. so that apache cant access
> /home/virtual/siteNum/home/users/public_html/files.html
 
  uh?  _can't_ access ..../files.html??  why?


> One approach is definitely to simply tag the files as
> "siteNum_virtual_home_t" and the allow/disallow apache to read them for
> that matter simply tag them with unlabled_t to deny access by any
> service.

 okay.

 whom do you want to allow access to what?

 do you want the user to be able to ftp or scp files up to the
 /home/virtual/siteNum directory?

 you really need to lay out exactly who manages and how the
 files are to be managed.

 what i mean is that you can use apache_domain as above but then you
 need to grant someone the right to upload files into the new file
 contexts.

 so.

 is a user given the right to manage a group of sites, or is there going
 to be one user per site (like my brother does: he has one username per
 VirtualHost), are there going to be several users per group of sites?

 how are the site files to be managed?

 etc.



-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Jaspreet Singh]

Hi,


>  okay, one way to achieve that is to use the
>  macro apache_domain(virtual_$1) say by adding it to
>  macros/base_macros.te at the same point where apache_domain($1)
>  is used.
> 

Could you elaborate on this more ... I am not able to understand 

>  plus adding 
> 
> > and now based on the access writes of users of a particular site I want
> > them to access services like apache. so that apache cant access
> > /home/virtual/siteNum/home/users/public_html/files.html
>  
>   uh?  _can't_ access ..../files.html??  why?
> 

Let me give you the idea of virtualization ... i guess i made a mistake
last time ..

sites and have any numbers of users, and the users can only see the site
file system (chroot env). Now the site avails certain services like
apache , sshd , telnet and things like that ...

based upon what they have availed .. they are given services. So only
when the site avails for say .. apache service i want to allow the
apache to read the user files. I know this can be  don't through
httpd.conf .. but apache is just one example .. i want a generic MAC
based solutions.

One way to do this in DAC is ... all the files in site file system like
/home/virtual/siteNum/etc/http.conf and all is owned by the the group -
"apache" and users users are added to this group when the site avails
for apache service.

Now who does this shifting is a secondary thing .... and difficult to
explain here .....

is there any way to do this in MAC ??? something using roles may be ??

Thanx
Jaspreet
-- 
:: don't walk as if you own the world 
	 walk as if you dont damn who owns it ::

Jaspreet Singh,
Software Engineer,
Ensim India.

Ph # +91 9890712226



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Luke Kenneth Casson Leighton]

On Sun, Oct 17, 2004 at 08:01:28PM +0530, Jaspreet Singh wrote:
> Hi,
> 
> 
> >  okay, one way to achieve that is to use the
> >  macro apache_domain(virtual_$1) say by adding it to
> >  macros/base_macros.te at the same point where apache_domain($1)
> >  is used.
> > 
> 
> Could you elaborate on this more ... I am not able to understand 
 
 you need to read my previous email in which i describe a walk-through
 of going over the apache macros.


> >  plus adding 
> > 
> > > and now based on the access writes of users of a particular site I want
> > > them to access services like apache. so that apache cant access
> > > /home/virtual/siteNum/home/users/public_html/files.html
> >  
> >   uh?  _can't_ access ..../files.html??  why?
> > 
> 
> Let me give you the idea of virtualization ... 

 good idea :)

> i guess i made a mistake
> last time ..

 no, just missing information.

 but let's clarify: cant is not an english word: above, do
 you mean "can" or do you mean "can not"?


> sites and have any numbers of users, and the users can only see the site
> file system (chroot env). 

 okay, so first you should look at file_contexts/program/apache.fc
 and change the second line

	HOME_DIR/((www)|(web)|(public_html))(/.+)?
	system_u:object_r:httpd_ROLE_content_t

 to:
 
 	/home/virtual/siteNum/HOME_DIR/((www)|....

 and see what happens.

 you _may_ have to look at genhomedircon to ensure that it can
 substitute HOME_DIR when it is used like i suggest.



> Now the site avails certain services like
> apache , sshd , telnet and things like that ...
> 
> based upon what they have availed .. they are given services. So only
> when the site avails for say .. apache service i want to allow the
> apache to read the user files. I know this can be  don't through

 surely you mean done not don't (don't is short for "do not")

> httpd.conf .. but apache is just one example .. i want a generic MAC
> based solutions.
> 
> One way to do this in DAC is ... all the files in site file system like
> /home/virtual/siteNum/etc/http.conf and all is owned by the the group -
> "apache" and users users are added to this group when the site avails
> for apache service.
 
 so not only do you want the user to be able to access the site files
 but also you want the user to be able to manage the ADMINISTRATIVE
 file httpd.conf (for their Virtual site) is that right?

 [doesn't sound right but i'm just checking].

 

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Chris Kuethe]

I could be way out to lunch here, but....

Jaspreet appears to work for Ensim - a maker of web hosting appliance
software. I think what he's after is trying to use the MAC features of
SELinux to provide stronger isolation between users of a hosting
appliance than the current chroot() and application leve controls will
provide. I have access to couple of ensim boxen - not a bad little
widget. It's quite exciting to hear that the suggestion that they're
trying to use SELinux for their next generation product...

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 3377 bytes --]

On Sun, 2004-10-17 at 18:24 +0530, Jaspreet Singh wrote:

> The higher goal is to support (site) virtualization e.g.
> 
> apart from /home/users I want to have /home/virtual/siteNum/home/users
> 
> and now based on the access writes of users of a particular site I want
> them to access services like apache. so that apache cant access
> /home/virtual/siteNum/home/users/public_html/files.html

I think I see.  Ok.  There are two broad approaches.  First is to go
with full_user_role for each user.  Let's say that you have three users:
jaspreet, bob, and manoj.  You have three sites: foocom, barcom, bazcom.
You want jaspreet to have control over foocom and barcom, bob to control
barcom, and manoj to control foocom and bazcom.

macros/program/apache_macros.te:
define(`httpd_virtual_subdomain',`
type httpd_$1_content_t, file_type, sysadmfile;
r_dir_file(httpd_t, httpd_$1_content_t)
# Also may want to define types for CGI scripts, etc here
')

define(`user_virtual_access',`
rw_dir_create_file($1, httpd_$2_content_t)
allow $1_t httpd_$2_content_t:{ file lnk_file } { relablelfrom relabelto };
')

domains/misc/local.te:
full_user_role(jaspreet)
full_user_role(bob)
full_user_role(manoj)
httpd_virtual_subdomain(foocom)
httpd_virtual_subdomain(barcom)
httpd_virtual_subdomain(bazcom)
user_virtual_access(jaspreet_t, foocom)
user_virtual_access(jaspreet_t, barcom)
user_virtual_access(bob_t, barcom)
user_virtual_access(manoj_t, foocom)
user_virtual_access(manoj_t, bazcom)

users.te:

user jaspreet roles { jaspreet_t };
user bob roles { bob_t };
user manoj roles { manoj_t };

That should do the trick.

> But, this would be computationally more complex to something like a role
> based approach.

Right, so the second approach would be:

domains/misc/local.te:
full_user_role(foocom_webmaster)
full_user_role(barcom_webmaster)
full_user_role(bazcom_webmaster)

users.te:

user jaspreet roles { foocom_webmaster_t barcom_webmaster_t };
user bob roles { barcom_webmaster_t };
user manoj roles { foocom_webmaster_t bazcom_webmaster_t };

This is a lot simpler from the policy side, but your users will have to
be aware of newrole.

> Now, I know only login method can assign roles , so what about the
> non-login sessions ???

You can use newrole to change between allowed roles, for example:
$ id
uid=500(jaspreet) gid=500(jaspreet) groups=500(jaspreet) context=jaspreet_u:foocom_webmaster_r:foocom_webmaster_t
$ $EDITOR /home/virtual/foocom/jaspreet/hi.html
$ newrole -r barcom_webmaster_t
Password for jaspreet: xxxxx
$ id
uid=500(jaspreet) gid=500(jaspreet) groups=500(jaspreet) context=jaspreet_u:barcom_webmaster_r:foocom_webmaster_t
$ $EDITOR /home/virtual/barcom/jaspreet/hi.html

> and one more thing which came to my mind was (may be irrelevent to the
> context) ... What if I "mount  --bind" contents of a directory to
> multiple places and give different file tags to the different mount
> points .. will the selinux system work properly in this scenario ( coz
> it wont in case of LIDS which rely upon ACLs)

During initial file labeling, SELinux ignores bind mounts.  Because it
labels the actual inodes instead of attempting to use runtime pathname-
based access, it doesn't matter if a program traverses to an inode via a
bind mount, it still has the same label.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: writing rules to disallow a domain to read particular files

[Jaspreet Singh]

Hi, 

First of all .. at Ensim .. I am just trying to take an initiative
towards MAC and if it works then i would talk to my team for
implementing it. so far so good ... lets hope for the best ...
> 
> Right, so the second approach would be:
> 
> domains/misc/local.te:
> full_user_role(foocom_webmaster)
> full_user_role(barcom_webmaster)
> full_user_role(bazcom_webmaster)
> 
> users.te:
> 
> user jaspreet roles { foocom_webmaster_t barcom_webmaster_t };
> user bob roles { barcom_webmaster_t };
> user manoj roles { foocom_webmaster_t bazcom_webmaster_t };
> 


That was an eye opener .. i didn't know so much was possible with
SELinux. Could you pass me on some document which can elaborate on
policy rules and configuration (and discusses whats all possible with
these policies).

Just to test the above approach i tried the following on on my FC2 box
with FC3 selinux-files , but i had some bad time compiling my changes
...

I added to "users" file - 
role jaspreet user jsingh roles { user_r site1_t sysadm_r system_r };

and to domains/misc/local.te
full_user_role(jsingh);
allow site1_t httpd_config_t:file { getattr read write };

but had some nice errors when i did make policy, like - 

	Building file_contexts ...
	/usr/bin/checkpolicy -o policy.18 policy.conf
	/usr/bin/checkpolicy:  loading policy configuration from policy.conf
	domains/misc/local.te:1:ERROR 'unknown boolean read_default_t in
	conditional expression' at token 'read_default_t' on line 3815:
	#line 1
	if (read_default_t) {
	domains/misc/local.te:1:ERROR 'illegal conditional expression' at token
'allow' on line 3837:
	#line 1
	allow jsingh_t usr_t:file { { read getattr lock execute ioctl }
	execute_no_trans };
	/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
	make: *** [policy.18] Error 1

a grep on the files (grep -r read_default_t *) revealed thats it has not
been defined ????


Jaspreet






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

On Mon, 2004-10-18 at 13:28 +0530, Jaspreet Singh wrote:

> That was an eye opener .. i didn't know so much was possible with
> SELinux. Could you pass me on some document which can elaborate on
> policy rules and configuration (and discusses whats all possible with
> these policies).

http://www.nsa.gov/selinux/papers/policy2-abs.cfm

> Just to test the above approach i tried the following on on my FC2 box
> with FC3 selinux-files , but i had some bad time compiling my changes
> ...

You'll need the strict policy for this, basically.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: writing rules to disallow a domain to read particular files

[Karl MacMillan]

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
> Behalf Of Colin Walters
> Sent: Monday, October 18, 2004 9:18 AM
> To: jsingh@ensim.com
> Cc: nsa
> Subject: Re: writing rules to disallow a domain to read particular files
> 
> On Mon, 2004-10-18 at 13:28 +0530, Jaspreet Singh wrote:
> 
> > That was an eye opener .. i didn't know so much was possible with
> > SELinux. Could you pass me on some document which can elaborate on
> > policy rules and configuration (and discusses whats all possible with
> > these policies).
> 
> http://www.nsa.gov/selinux/papers/policy2-abs.cfm
> 

We also provide the slides from our SELinux course on our website:
http://www.tresys.com/selinux/index.html. These cover both policy syntax and
SELinux concepts.

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> > Just to test the above approach i tried the following on on my FC2 box
> > with FC3 selinux-files , but i had some bad time compiling my changes
> > ...
> 
> You'll need the strict policy for this, basically.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Jaspreet Singh]

Hi,

could you please explain me how are booleans handled in selinux targeted
policies.

eg. a grep on booleans like -

"read_default_t" , "snmpd_disable_trans" etc ...

relieved that their declaration exists in policy.conf file.

I have changed some rules in policy and having a tough time compiling
due to -

:ERROR 'unknown boolean user_direct_mouse in conditional expression' at
token 'user_direct_mouse' on line 4862:

any clues ??

Jaspreet



On Sun, 2004-10-17 at 22:05, Colin Walters wrote:
> On Sun, 2004-10-17 at 18:24 +0530, Jaspreet Singh wrote:
> 
> > The higher goal is to support (site) virtualization e.g.
> > 
> > apart from /home/users I want to have /home/virtual/siteNum/home/users
> > 
> > and now based on the access writes of users of a particular site I want
> > them to access services like apache. so that apache cant access
> > /home/virtual/siteNum/home/users/public_html/files.html
> 
> I think I see.  Ok.  There are two broad approaches.  First is to go
> with full_user_role for each user.  Let's say that you have three users:
> jaspreet, bob, and manoj.  You have three sites: foocom, barcom, bazcom.
> You want jaspreet to have control over foocom and barcom, bob to control
> barcom, and manoj to control foocom and bazcom.
> 
> macros/program/apache_macros.te:
> define(`httpd_virtual_subdomain',`
> type httpd_$1_content_t, file_type, sysadmfile;
> r_dir_file(httpd_t, httpd_$1_content_t)
> # Also may want to define types for CGI scripts, etc here
> ')
> 
> define(`user_virtual_access',`
> rw_dir_create_file($1, httpd_$2_content_t)
> allow $1_t httpd_$2_content_t:{ file lnk_file } { relablelfrom relabelto };
> ')
> 
> domains/misc/local.te:
> full_user_role(jaspreet)
> full_user_role(bob)
> full_user_role(manoj)
> httpd_virtual_subdomain(foocom)
> httpd_virtual_subdomain(barcom)
> httpd_virtual_subdomain(bazcom)
> user_virtual_access(jaspreet_t, foocom)
> user_virtual_access(jaspreet_t, barcom)
> user_virtual_access(bob_t, barcom)
> user_virtual_access(manoj_t, foocom)
> user_virtual_access(manoj_t, bazcom)
> 
> users.te:
> 
> user jaspreet roles { jaspreet_t };
> user bob roles { bob_t };
> user manoj roles { manoj_t };
> 
> That should do the trick.
> 
> > But, this would be computationally more complex to something like a role
> > based approach.
> 
> Right, so the second approach would be:
> 
> domains/misc/local.te:
> full_user_role(foocom_webmaster)
> full_user_role(barcom_webmaster)
> full_user_role(bazcom_webmaster)
> 
> users.te:
> 
> user jaspreet roles { foocom_webmaster_t barcom_webmaster_t };
> user bob roles { barcom_webmaster_t };
> user manoj roles { foocom_webmaster_t bazcom_webmaster_t };
> 
> This is a lot simpler from the policy side, but your users will have to
> be aware of newrole.
> 
> > Now, I know only login method can assign roles , so what about the
> > non-login sessions ???
> 
> You can use newrole to change between allowed roles, for example:
> $ id
> uid=500(jaspreet) gid=500(jaspreet) groups=500(jaspreet) context=jaspreet_u:foocom_webmaster_r:foocom_webmaster_t
> $ $EDITOR /home/virtual/foocom/jaspreet/hi.html
> $ newrole -r barcom_webmaster_t
> Password for jaspreet: xxxxx
> $ id
> uid=500(jaspreet) gid=500(jaspreet) groups=500(jaspreet) context=jaspreet_u:barcom_webmaster_r:foocom_webmaster_t
> $ $EDITOR /home/virtual/barcom/jaspreet/hi.html
> 
> > and one more thing which came to my mind was (may be irrelevent to the
> > context) ... What if I "mount  --bind" contents of a directory to
> > multiple places and give different file tags to the different mount
> > points .. will the selinux system work properly in this scenario ( coz
> > it wont in case of LIDS which rely upon ACLs)
> 
> During initial file labeling, SELinux ignores bind mounts.  Because it
> labels the actual inodes instead of attempting to use runtime pathname-
> based access, it doesn't matter if a program traverses to an inode via a
> bind mount, it still has the same label.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Stephen Smalley]

On Mon, 2004-10-18 at 05:41, Jaspreet Singh wrote:
> Hi,
> 
> could you please explain me how are booleans handled in selinux targeted
> policies.
> 
> eg. a grep on booleans like -
> 
> "read_default_t" , "snmpd_disable_trans" etc ...
> 
> relieved that their declaration exists in policy.conf file.
> 
> I have changed some rules in policy and having a tough time compiling
> due to -
> 
> :ERROR 'unknown boolean user_direct_mouse in conditional expression' at
> token 'user_direct_mouse' on line 4862:

Targeted policy doesn't include user roles, just daemon domains.  Use
strict policy if you want to separate users.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing rules to disallow a domain to read particular files

[Luke Kenneth Casson Leighton]

On Sat, Oct 16, 2004 at 08:51:41PM +0530, Jaspreet Singh wrote:

> Hi,
> 
> can someone help me with writing policy rules such that -
> 
> A domain (say apache_d) cannot access files beyond a directory
> /home/jaspreet/
> 
> any clues ???
 
 hi jaspreet,

 okay your first clue is to look in
 /etc/selinux/src/file_contexts/program/apache.fc

 what you are looking for is to match the known location where web files
 are stored (and you'd expect them to be stored in /var/www, yes?)

 so you look in apache.fc for /var/www and sure enough, /var/www(/.*)?
 matches against httpd_sys_content_t.


 the second clue is to look in
 /etc/selinux/src/domains/program/apache.fc

 and uh, okay, there's an ifdef (`targeted_policy', ... ') around
 http_sys_content_t being aliases to httpd_user_content_t.  okay,
 dunno what that's about.

 okay, so, uh, okay, let's grep httpd_user_content_t and
 httpd_sys_content_t against */* and */*/* okay, and we find
 some macros in macros/program/apache_macros.te... which
 defines a macro apache_domain.


 also, file_contexts/file_contexts contains this:

 # apache
 /home/[^/]+/((www)|(web)|(public_html))(/.+)?  system_u:object_r:httpd_user_content_t

 so, /home/jaspreet/www and /home/jaspreet/web  and
 /home/jaspreet/public_html _all_ are accessible automatically via the
 strict policy.

 already.  as httpd_user_content_t.

 /var/www/* is already accessible (as httpd_sys_content_t)


 there are two uses of the apache_domain macro:

 - the first is in domains/programs/apache.te, with this:

 	apache_domain(sys)

	which will create you the httpd_sys_content_t etc. etc.

 - the second is in macros/user_macros.te with this:

 	apache_domain($1) where the macro gets called with $1 = user
	or $1 = sysadm or staff, whatever.


 anything outside of this (using apache_domain() macro for anything
 else) is a bit beyond one single email for explanation.



> Also if anyone could explain the behavior of "newrole" how can that be
> used here.

 there is no use of the command newrole that i percieve would
 be of any use to you here - that could just be because i've
 never had a reason to use it.

 l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.