* [RFC] Apache/SELinux : Enables to prevent web application flaws.
@ 2008-09-16 5:37 KaiGai Kohei
0 siblings, 0 replies; only message in thread
From: KaiGai Kohei @ 2008-09-16 5:37 UTC (permalink / raw)
To: selinux
It is a RFC for httpd-selinux package.
It enables to invoke its contents handler with an individual security
context based on HTTP authentication.
Apache has a feature to handle various kind of file format like *.html,
*.php, *.cgi and so on. These are well moduled and we call it as contents
handler.
The idea is simple. The httpd-selinux assignes a proper security context
using setcon() API just before contents handler invocation. The context
is identified based on HTTP authentication.
When the httpd-selinux accepts a HTTP request from a client, it creates
a one-time thread and wait for its exit. The child thread invokes setcon()
as I noted above, and execute contents handler to generate HTTP response.
In the result, it enables to kick web application under restricted domain
and prevent web application flaws.
Steps to build/install
----------------------
$ vi ~/.rpmmacros # set a proper '%_topdir' macro
$ wget http://<somewhere Fedora mirrors>/path/to/httpd-2.2.9-4.src.rpm
$ svn checkout http://sepgsql.googlecode.com/svn/misc/httpd-selinux
$ ./httpd-selinux/build-httpd-selinux.sh ./httpd-2.2.9-4.src.rpm
$ su -
# rpm -ivh /path/to/rpms/i386/httpd-selinux-2.2.9-4.i386.rpm
Preparing... ########################################### [100%]
1:httpd-selinux ########################################### [100%]
# vi /etc/sysconfig/httpd # add a line: "HTTPD=/usr/sbin/httpd.selinux"
# /etc/init.d/httpd restart
(NOTE) The kernel has to support type boundary feature.
(NOTE) If you feel the source code is complex, get a diff between prefork.c
and selinux.c. :)
Configuration
-------------
The "/etc/httpd/conf.d/httpd-selinux.conf" is a template of configuration.
It defined three directives which can be enclosed by <Directory> tag.
- selinuxAuthConfigFile
It specifies a path to configuration file which describes pairs of
authenticated user and its domain/range.
- selinuxAuthDefaultDomain
It specifies the default domain.
- selinuxAuthDefaultRange
It specifies the default range.
Future plans
------------
* Proposing it to the upstream Apache developers and Fedora community
* Proposing PHP/SELinux binding to PHP developers
* Similar enhancement on application server, like Tomcat
* Full SELinux coverage on LAPP software stack:
http://kaigai.sakura.ne.jp/sblo_files/kaigai/image/080719_lapp.png
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-09-16 5:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-16 5:37 [RFC] Apache/SELinux : Enables to prevent web application flaws KaiGai Kohei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.