Re: daemons and MCS categories

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
>> On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote:
>>> Are anyone interested in the daemon process with mcs categories?
>>>
>>> My proposition tries to cover general daemon processes, but my
>>> major concern is apache/httpd performing without any categories.
>>> If we focus on the apache/httpd, we can add the following policy
>>> within the mod_selinux.pp, and it enables to run httpd_t with
>>> mcs categories.
>>>
>>>   optional_policy(`
>>>       init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>>>   ')
>>>
>>> The mod_selinux.so is an apache/httpd module which enables to
>>> change its own security context prior to launching contents
>>> handler. We can set up the module to drop all the categories
>>> for unauthorized http clients, and rest of requests to perform
>>> with appropriate categories.
>>>
>>> The above rule will be available only when mod_selinux is installed.
>>> I don't think it gives any impact for existing stuffs.
>> I think we should leave this up to the users.  Apache should only be
>> given the set of categories which is the union of all of the categories
>> used by mod_selinux, which can only be determined by the users.
> 
> Yes, I also think it is more preferable than (mostly) wired mcs_systemhigh.
> However, the matter is the way to start up httpd with certain categories.
> The run_init invokes all the daemon process with a security context
> configured in /etc/selinux/$POLICYTYPE/contexts/initrc_context, and
> the case when system startup script kicks them also does not care anything.
> 
> What is a preferable idea?
> 
> Here is one other idea I noticed yesterday.
> 1. The mod_selinux package installs mod_selinux.pp which adds a range_transition
>    rule to mcs_systemhigh on httpd_t and httpd_exec_t as I noted above.
> 2. The mod_selinux.so (loadable module for httpd) drops unnecessary categories
>    at the ap_run_post_config() hook which gives modules a change to verify
>    global configuration.
> 
> It is Apache/httpd specific solution, but 99% of my concern will be solved.

I tried to implement the idea, and it seems to me it works correctly.
  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#123

o /etc/httpd/conf.d/mod_selinux.conf
    :
  selinuxServerDomain     *:s0-s0:c0.c15
    :

  This global directive specifies a domain/range pair to be performed as.

o /var/log/httpd/error_log
      :
  [Wed May 13 12:48:32 2009] [notice] SELinux policy enabled; \
    httpd running as context system_u:system_r:httpd_t:s0-s0:c0.c1023
      :
  [Wed May 13 12:48:32 2009] [debug] mod_selinux.c(154): SELinux: \
    replace server domain: system_u:system_r:httpd_t:s0-s0:c0.c1023/*:s0-s0:c0.c15
      :

  The log message said the apache/httpd was initially started up with
  system_u:system_r:httpd_t:s0-s0:c0.c1023, then mod_selinux dropped
  unnecessary categories according to the selinuxServerDomain .
  (mod_selinux.pp add a range_transition rule.)

o ps -AZ
  [root@saba ~]# ps -AZ | grep httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2994 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2997 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2998 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2999 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3000 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3001 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3002 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3003 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3004 ?  00:00:00 httpd

  It can assign content handler a category between c0 and c15
  based on the http authentication.

I think 80% of the package is ready to push for Fedora Project.
The remaining issue is the following ugly policy:
  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if

If possible, I would like services/apache.if to provide an interface to
assign minimum set of privileges to perform as a part of httpd process.
It enables web-application authors to focus on access controls for
web contents.

Thanks,

> Thanks,
> 
>>> KaiGai Kohei wrote:
>>>> The attached patch is a proof-of-concept for the facility to launch
>>>> daemon processes with a certaon mcs ranges.
>>>>
>>>> The selinux-daemon-mcs-run_init.patch add run_init a new option which
>>>> specifies the name of daemon.
>>>>
>>>>   # run_init -n httpd /etc/init.d/httpd restart
>>>>
>>>> When -n option is given, run_init lookups under the
>>>> /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
>>>> range to be assigned on the init script.
>>>>
>>>>   [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
>>>>   s0-s0:c0.c31
>>>>   [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
>>>>   Authenticating kaigai.
>>>>   Password:
>>>>   Stopping httpd:                                            [  OK  ]
>>>>   Starting httpd:                                            [  OK  ]
>>>>   [root@saba run_init]# ps -AZ | grep httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
>>>>      :
>>>>
>>>> The selinux-daemon-mcs-rc-script.patch is a short hack to the system
>>>> init script. It launches the required script with "runcon -l", if
>>>> per-daemon range is configured.
>>>>
>>>> These reworks typicall enable web-application (launched by httpd) to
>>>> perform in a certain restrictive category of MCS.
>>>> Currently, mod_selinux's security policy module assigns "mcssetcats"
>>>> on httpd_t, but it is fundamentally denger and nonsense. :(
>>>>
>>>> So, I would like to see the daemon processes with appropriate categories.
>>>>
>>>> Thanks,
>>>>
>>>> KaiGai Kohei wrote:
>>>>> KaiGai Kohei wrote:
>>>>>> Sorry for opening the old discussion again.
>>>>>>
>>>>>> If you don't ML logs in local, please see the archives:
>>>>>>   http://marc.info/?t=114825463100001&r=1&w=2
>>>>>>
>>>>>> Christopher J. PeBenito wrote:
>>>>>>> I agree with James on this, I don't think we want to impose semantics in
>>>>>>> the MCS categories, and that this
>>>>>>>
>>>>>>>> Another possibility is to have the ability to configure which categories are 
>>>>>>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>>>>>>> difficult to read a config file that maps the domain of a daemon to the range 
>>>>>>>> that should be granted to it.
>>>>>>> is useful so that if users do want to run a daemon with categories, they
>>>>>>> can.
>>>>>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
>>>>> Shall we start to implement an extention of run_init and others based on
>>>>> the above Russell's idea?
>>>>>
>>>>> Now, I have a plan to store configuration files at:
>>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
>>>>>    or
>>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
>>>>>
>>>>> and, add a new option to run_init as:
>>>>>   run_init [-n <daemon>] <script> [<args> ...]
>>>>>
>>>>>   It intends to see the per-daemon default range, instead of the initrc_contexts.
>>>>>
>>>>> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
>>>>> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
>>>>> when the given daemon has its own range.)
>>>>>
>>>>> The last also need to have a discussion in the Fedora developer's list.
>>>>> Dan, do you think it is a hopefull proposition?
>>>>>
>>>>> Thanks,
>>>>>
>>>>>> If we could start the init-scripts via runcon by hand, it seems to me the
>>>>>> daemon processes performs with multi categories.
>>>>>>
>>>>>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>>>>>>  | Stopping httpd:                                            [  OK  ]
>>>>>>  | Starting httpd:                                            [  OK  ]
>>>>>>  | [root@saba ~]# ps -AZ | grep httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>>>>>>  |      :
>>>>>>
>>>>>> But it is unavailable when the system kicks init-script on startup time.
>>>>>> Is there any good idea?
>>>>>>
>>>>>> In the recent days, I'm working for an apache module (mod_selinux.so) which
>>>>>> launches web application handler under an individual security context based
>>>>>> on http-authentication.
>>>>>> I'm looking for the way to assign a few dozens of categories on httpd server
>>>>>> processes which are launched at system startup time.
>>>>>>
>>>>>> Thanks,
> 
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.