From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from msux-gh1-uea02.nsa.gov (msux-gh1-uea02.nsa.gov [63.239.67.2]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id n4C0LocO027367 for ; Mon, 11 May 2009 20:21:51 -0400 Received: from tyo202.gate.nec.co.jp (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id n4C0Lp6T009280 for ; Tue, 12 May 2009 00:21:52 GMT Message-ID: <4A08C0DC.30108@ak.jp.nec.com> Date: Tue, 12 May 2009 09:20:44 +0900 From: KaiGai Kohei MIME-Version: 1.0 To: "Christopher J. PeBenito" CC: dwalsh@redhat.com, method@manicmethod.com, russell@coker.com.au, SE-Linux Subject: Re: daemons and MCS categories References: <200605220930.05483.russell@coker.com.au> <1148910738.14262.67.camel@sgc.columbia.tresys.com> <49EC1F11.6040003@ak.jp.nec.com> <49ED29CC.6080507@ak.jp.nec.com> <49EED77F.5060407@ak.jp.nec.com> <4A07B36C.1080305@ak.jp.nec.com> <1242045456.5102.3.camel@gorn.columbia.tresys.com> In-Reply-To: <1242045456.5102.3.camel@gorn.columbia.tresys.com> Content-Type: text/plain; charset=ISO-2022-JP Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Christopher J. PeBenito wrote: > On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote: >> Are anyone interested in the daemon process with mcs categories? >> >> My proposition tries to cover general daemon processes, but my >> major concern is apache/httpd performing without any categories. >> If we focus on the apache/httpd, we can add the following policy >> within the mod_selinux.pp, and it enables to run httpd_t with >> mcs categories. >> >> optional_policy(` >> init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh) >> ') >> >> The mod_selinux.so is an apache/httpd module which enables to >> change its own security context prior to launching contents >> handler. We can set up the module to drop all the categories >> for unauthorized http clients, and rest of requests to perform >> with appropriate categories. >> >> The above rule will be available only when mod_selinux is installed. >> I don't think it gives any impact for existing stuffs. > > I think we should leave this up to the users. Apache should only be > given the set of categories which is the union of all of the categories > used by mod_selinux, which can only be determined by the users. Yes, I also think it is more preferable than (mostly) wired mcs_systemhigh. However, the matter is the way to start up httpd with certain categories. The run_init invokes all the daemon process with a security context configured in /etc/selinux/$POLICYTYPE/contexts/initrc_context, and the case when system startup script kicks them also does not care anything. What is a preferable idea? Here is one other idea I noticed yesterday. 1. The mod_selinux package installs mod_selinux.pp which adds a range_transition rule to mcs_systemhigh on httpd_t and httpd_exec_t as I noted above. 2. The mod_selinux.so (loadable module for httpd) drops unnecessary categories at the ap_run_post_config() hook which gives modules a change to verify global configuration. It is Apache/httpd specific solution, but 99% of my concern will be solved. Thanks, >> KaiGai Kohei wrote: >>> The attached patch is a proof-of-concept for the facility to launch >>> daemon processes with a certaon mcs ranges. >>> >>> The selinux-daemon-mcs-run_init.patch add run_init a new option which >>> specifies the name of daemon. >>> >>> # run_init -n httpd /etc/init.d/httpd restart >>> >>> When -n option is given, run_init lookups under the >>> /etc/selinux//contexts/initrc/, and replaces the >>> range to be assigned on the init script. >>> >>> [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd >>> s0-s0:c0.c31 >>> [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart >>> Authenticating kaigai. >>> Password: >>> Stopping httpd: [ OK ] >>> Starting httpd: [ OK ] >>> [root@saba run_init]# ps -AZ | grep httpd >>> system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd >>> system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd >>> system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd >>> system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd >>> system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd >>> : >>> >>> The selinux-daemon-mcs-rc-script.patch is a short hack to the system >>> init script. It launches the required script with "runcon -l", if >>> per-daemon range is configured. >>> >>> These reworks typicall enable web-application (launched by httpd) to >>> perform in a certain restrictive category of MCS. >>> Currently, mod_selinux's security policy module assigns "mcssetcats" >>> on httpd_t, but it is fundamentally denger and nonsense. :( >>> >>> So, I would like to see the daemon processes with appropriate categories. >>> >>> Thanks, >>> >>> KaiGai Kohei wrote: >>>> KaiGai Kohei wrote: >>>>> Sorry for opening the old discussion again. >>>>> >>>>> If you don't ML logs in local, please see the archives: >>>>> http://marc.info/?t=114825463100001&r=1&w=2 >>>>> >>>>> Christopher J. PeBenito wrote: >>>>>> I agree with James on this, I don't think we want to impose semantics in >>>>>> the MCS categories, and that this >>>>>> >>>>>>> Another possibility is to have the ability to configure which categories are >>>>>>> assigned to a daemon via run_init or some similar program. It would not be >>>>>>> difficult to read a config file that maps the domain of a daemon to the range >>>>>>> that should be granted to it. >>>>>> is useful so that if users do want to run a daemon with categories, they >>>>>> can. >>>>> Is it still unavailable on the current SELinux userspace utilities, isn't it? >>>> Shall we start to implement an extention of run_init and others based on >>>> the above Russell's idea? >>>> >>>> Now, I have a plan to store configuration files at: >>>> /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON} >>>> or >>>> /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions >>>> >>>> and, add a new option to run_init as: >>>> run_init [-n ]