From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: selinux@tycho.nsa.gov
Subject: [RFC] Apache/SELinux : Enables to prevent web application flaws.
Date: Tue, 16 Sep 2008 14:37:37 +0900 [thread overview]
Message-ID: <48CF4621.20808@ak.jp.nec.com> (raw)
It is a RFC for httpd-selinux package.
It enables to invoke its contents handler with an individual security
context based on HTTP authentication.
Apache has a feature to handle various kind of file format like *.html,
*.php, *.cgi and so on. These are well moduled and we call it as contents
handler.
The idea is simple. The httpd-selinux assignes a proper security context
using setcon() API just before contents handler invocation. The context
is identified based on HTTP authentication.
When the httpd-selinux accepts a HTTP request from a client, it creates
a one-time thread and wait for its exit. The child thread invokes setcon()
as I noted above, and execute contents handler to generate HTTP response.
In the result, it enables to kick web application under restricted domain
and prevent web application flaws.
Steps to build/install
----------------------
$ vi ~/.rpmmacros # set a proper '%_topdir' macro
$ wget http://<somewhere Fedora mirrors>/path/to/httpd-2.2.9-4.src.rpm
$ svn checkout http://sepgsql.googlecode.com/svn/misc/httpd-selinux
$ ./httpd-selinux/build-httpd-selinux.sh ./httpd-2.2.9-4.src.rpm
$ su -
# rpm -ivh /path/to/rpms/i386/httpd-selinux-2.2.9-4.i386.rpm
Preparing... ########################################### [100%]
1:httpd-selinux ########################################### [100%]
# vi /etc/sysconfig/httpd # add a line: "HTTPD=/usr/sbin/httpd.selinux"
# /etc/init.d/httpd restart
(NOTE) The kernel has to support type boundary feature.
(NOTE) If you feel the source code is complex, get a diff between prefork.c
and selinux.c. :)
Configuration
-------------
The "/etc/httpd/conf.d/httpd-selinux.conf" is a template of configuration.
It defined three directives which can be enclosed by <Directory> tag.
- selinuxAuthConfigFile
It specifies a path to configuration file which describes pairs of
authenticated user and its domain/range.
- selinuxAuthDefaultDomain
It specifies the default domain.
- selinuxAuthDefaultRange
It specifies the default range.
Future plans
------------
* Proposing it to the upstream Apache developers and Fedora community
* Proposing PHP/SELinux binding to PHP developers
* Similar enhancement on application server, like Tomcat
* Full SELinux coverage on LAPP software stack:
http://kaigai.sakura.ne.jp/sblo_files/kaigai/image/080719_lapp.png
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
reply other threads:[~2008-09-16 5:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48CF4621.20808@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.