Re: [refpolicy] [RFC] mod_selinux security policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: SELinux <selinux@tycho.nsa.gov>
Cc: Refpolicy <refpolicy@oss.tresys.com>
Subject: Re: [refpolicy] [RFC] mod_selinux security policy
Date: Thu, 07 May 2009 12:56:51 +0900	[thread overview]
Message-ID: <4A025C03.50907@ak.jp.nec.com> (raw)
In-Reply-To: <49F69A33.2070601@ak.jp.nec.com>

KaiGai Kohei wrote:
> Folks,
> 
> Nowadays, I'm also under development for a loadable module on apache/httpd,
> named as mod_selinux.so. It enables to launch web-applications with an
> individual security context based on http-authenticated users.
> It internally uses a one-time worker thread for each connections to perform
> as a restrictive domain bounded to httpd_t due to the hard-wired rule for
> multi-threading process.
> 
> In the LCA2009 demonstration, all we can show was individual MCS category
> per http-users because of lack of TE policy.
> The following ugly policy is an example of TE policy for mod_selinux.so.
> 
>  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te
>  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if
> 
> We needed to remain a minimum set of privileges on the bounded domains because
> they also perform as a part of the daemon process, although they are restricted
> to access to the web contents or database objects.
> (Thus, it allows webapp_type to write on log files, for example.)
> 
> In my hope, if we can have a interface to assign the minimum set of privileges
> on the bounded domain, it will be helpfull for authors of web applications
> which provide its own security policy. It will enables them to focus on writing
> their policy for web contents.

One possible idea is to define a new attribute (e.g httpd_server_type) which
contains httpd_t and other domains for built-in web applications.
A minimum set of privileges to perform as a web server process is allowed
on the httpd_server_type, and rest of permissions are allowed on individual
types.

Or, add a new template/interface to allow minimum privilges to perform as
a web server process (e.g httpd_server_domain), then httpd_t and other
domains for built-in web applications uses this template/interface.

Anyway, the mod_selinux currently copies and pastes a part of policies for
apache, but it is not basically good due to the code duplication.

I would like to get any comments prior to the pushing the package to Fedora.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

WARNING: multiple messages have this Message-ID (diff)

From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC] mod_selinux security policy
Date: Thu, 07 May 2009 12:56:51 +0900	[thread overview]
Message-ID: <4A025C03.50907@ak.jp.nec.com> (raw)
In-Reply-To: <49F69A33.2070601@ak.jp.nec.com>

KaiGai Kohei wrote:
> Folks,
> 
> Nowadays, I'm also under development for a loadable module on apache/httpd,
> named as mod_selinux.so. It enables to launch web-applications with an
> individual security context based on http-authenticated users.
> It internally uses a one-time worker thread for each connections to perform
> as a restrictive domain bounded to httpd_t due to the hard-wired rule for
> multi-threading process.
> 
> In the LCA2009 demonstration, all we can show was individual MCS category
> per http-users because of lack of TE policy.
> The following ugly policy is an example of TE policy for mod_selinux.so.
> 
>  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te
>  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if
> 
> We needed to remain a minimum set of privileges on the bounded domains because
> they also perform as a part of the daemon process, although they are restricted
> to access to the web contents or database objects.
> (Thus, it allows webapp_type to write on log files, for example.)
> 
> In my hope, if we can have a interface to assign the minimum set of privileges
> on the bounded domain, it will be helpfull for authors of web applications
> which provide its own security policy. It will enables them to focus on writing
> their policy for web contents.

One possible idea is to define a new attribute (e.g httpd_server_type) which
contains httpd_t and other domains for built-in web applications.
A minimum set of privileges to perform as a web server process is allowed
on the httpd_server_type, and rest of permissions are allowed on individual
types.

Or, add a new template/interface to allow minimum privilges to perform as
a web server process (e.g httpd_server_domain), then httpd_t and other
domains for built-in web applications uses this template/interface.

Anyway, the mod_selinux currently copies and pastes a part of policies for
apache, but it is not basically good due to the code duplication.

I would like to get any comments prior to the pushing the package to Fedora.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

next prev parent reply	other threads:[~2009-05-07  3:57 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-28  5:54 [RFC] mod_selinux security policy KaiGai Kohei
2009-04-28  5:54 ` [refpolicy] " KaiGai Kohei
2009-05-07  3:56 ` KaiGai Kohei [this message]
2009-05-07  3:56   ` KaiGai Kohei
2009-05-08  6:29   ` [PATCH] An interface to allow web-apps minimum privileges (Re: [RFC] mod_selinux security policy) KaiGai Kohei
2009-05-08  6:29     ` [refpolicy] " KaiGai Kohei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A025C03.50907@ak.jp.nec.com \
    --to=kaigai@ak.jp.nec.com \
    --cc=refpolicy@oss.tresys.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.