daemons and MCS categories

daemons and MCS categories

[Russell Coker]

It seems to me that there is a benefit to giving some categories to daemons.

For example we may have two different categories for files that should be 
protected from each other but which are to be shared by Apache (note that 
categories in MCS are used for protecting integrity as well as 
confidentiality).

One idea that occurred to me is to give Apache (and other daemons) categories 
c128.c255.  Then there are 128 categories that can be used to restrict access 
of files that should not be accessed by daemons and 128 categories that can 
be used for files that can be accessed by daemons.

Another possibility is to have the ability to configure which categories are 
assigned to a daemon via run_init or some similar program.  It would not be 
difficult to read a config file that maps the domain of a daemon to the range 
that should be granted to it.


What do you think?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[James Morris]

On Mon, 22 May 2006, Russell Coker wrote:

> Another possibility is to have the ability to configure which categories are 
> assigned to a daemon via run_init or some similar program.  It would not be 
> difficult to read a config file that maps the domain of a daemon to the range 
> that should be granted to it.

I think the latter is a better idea if this is going to be done, rather 
than imposing semantics in the MCS categories.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[Russell Coker]

On Thursday 25 May 2006 16:23, Shintaro Fujiwara <shin216@xf7.so-net.ne.jp> 
wrote:
> What I really want to do, is let apache run say
> s0:c0.c2 and do Unix users do their jobs,
> webdesigner-s0:c0,scriptwriter-s0:c1,webmaster-s0:c2
> (whatever the word is).
> So, I can tell scriptwriter and webmaster (not designer
> this time) root password.
> I understand if they can be root, they cannot do anything
> harmful to the system.
> It's useful when I have several men under me (sysadmin)
> who are not so skillful.

One thing you didn't mention is whether you plan to use strict or targeted 
policy on the machine in question.  I know that you use strict at home, but 
targeted is the default (and the easy option) so I guess it's likely that you 
use it at work.

In targeted policy users run as unconfined_t, so therefore giving out the root 
password allows doing every harmful thing.  sudo may be a solution to this.  
If the daemon is to have more categories than the user who starts it then 
run_init can be used to run it.

In strict policy you can restrict the damage from the root account (although 
it takes a little configuration work).

But it seems that you are raising a new issue here, that of securely 
restarting daemons by users other than the sys-admin.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[Christopher J. PeBenito]

On Mon, 2006-05-22 at 09:30 +1000, Russell Coker wrote:
> It seems to me that there is a benefit to giving some categories to daemons.
> 
> For example we may have two different categories for files that should be 
> protected from each other but which are to be shared by Apache (note that 
> categories in MCS are used for protecting integrity as well as 
> confidentiality).

I don't understand why you say that, MCS isn't used for integrity, that
is what type enforcement is for.

> One idea that occurred to me is to give Apache (and other daemons) categories 
> c128.c255.  Then there are 128 categories that can be used to restrict access 
> of files that should not be accessed by daemons and 128 categories that can 
> be used for files that can be accessed by daemons.

I agree with James on this, I don't think we want to impose semantics in
the MCS categories, and that this

> Another possibility is to have the ability to configure which categories are 
> assigned to a daemon via run_init or some similar program.  It would not be 
> difficult to read a config file that maps the domain of a daemon to the range 
> that should be granted to it.

is useful so that if users do want to run a daemon with categories, they
can.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

Sorry for opening the old discussion again.

If you don't ML logs in local, please see the archives:
  http://marc.info/?t=114825463100001&r=1&w=2

Christopher J. PeBenito wrote:
> I agree with James on this, I don't think we want to impose semantics in
> the MCS categories, and that this
> 
>> Another possibility is to have the ability to configure which categories are 
>> assigned to a daemon via run_init or some similar program.  It would not be 
>> difficult to read a config file that maps the domain of a daemon to the range 
>> that should be granted to it.
> 
> is useful so that if users do want to run a daemon with categories, they
> can.

Is it still unavailable on the current SELinux userspace utilities, isn't it?

If we could start the init-scripts via runcon by hand, it seems to me the
daemon processes performs with multi categories.

 | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
 | Stopping httpd:                                            [  OK  ]
 | Starting httpd:                                            [  OK  ]
 | [root@saba ~]# ps -AZ | grep httpd
 | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
 | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
 | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
 | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
 |      :

But it is unavailable when the system kicks init-script on startup time.
Is there any good idea?

In the recent days, I'm working for an apache module (mod_selinux.so) which
launches web application handler under an individual security context based
on http-authentication.
I'm looking for the way to assign a few dozens of categories on httpd server
processes which are launched at system startup time.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

KaiGai Kohei wrote:
> Sorry for opening the old discussion again.
> 
> If you don't ML logs in local, please see the archives:
>   http://marc.info/?t=114825463100001&r=1&w=2
> 
> Christopher J. PeBenito wrote:
>> I agree with James on this, I don't think we want to impose semantics in
>> the MCS categories, and that this
>>
>>> Another possibility is to have the ability to configure which categories are 
>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>> difficult to read a config file that maps the domain of a daemon to the range 
>>> that should be granted to it.
>> is useful so that if users do want to run a daemon with categories, they
>> can.
> 
> Is it still unavailable on the current SELinux userspace utilities, isn't it?

Shall we start to implement an extention of run_init and others based on
the above Russell's idea?

Now, I have a plan to store configuration files at:
  /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
   or
  /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions

and, add a new option to run_init as:
  run_init [-n <daemon>] <script> [<args> ...]

  It intends to see the per-daemon default range, instead of the initrc_contexts.

and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
when the given daemon has its own range.)

The last also need to have a discussion in the Fedora developer's list.
Dan, do you think it is a hopefull proposition?

Thanks,

> If we could start the init-scripts via runcon by hand, it seems to me the
> daemon processes performs with multi categories.
> 
>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>  | Stopping httpd:                                            [  OK  ]
>  | Starting httpd:                                            [  OK  ]
>  | [root@saba ~]# ps -AZ | grep httpd
>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>  |      :
> 
> But it is unavailable when the system kicks init-script on startup time.
> Is there any good idea?
> 
> In the recent days, I'm working for an apache module (mod_selinux.so) which
> launches web application handler under an individual security context based
> on http-authentication.
> I'm looking for the way to assign a few dozens of categories on httpd server
> processes which are launched at system startup time.
> 
> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 4546 bytes --]

The attached patch is a proof-of-concept for the facility to launch
daemon processes with a certaon mcs ranges.

The selinux-daemon-mcs-run_init.patch add run_init a new option which
specifies the name of daemon.

  # run_init -n httpd /etc/init.d/httpd restart

When -n option is given, run_init lookups under the
/etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
range to be assigned on the init script.

  [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
  s0-s0:c0.c31
  [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
  Authenticating kaigai.
  Password:
  Stopping httpd:                                            [  OK  ]
  Starting httpd:                                            [  OK  ]
  [root@saba run_init]# ps -AZ | grep httpd
  system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
     :

The selinux-daemon-mcs-rc-script.patch is a short hack to the system
init script. It launches the required script with "runcon -l", if
per-daemon range is configured.

These reworks typicall enable web-application (launched by httpd) to
perform in a certain restrictive category of MCS.
Currently, mod_selinux's security policy module assigns "mcssetcats"
on httpd_t, but it is fundamentally denger and nonsense. :(

So, I would like to see the daemon processes with appropriate categories.

Thanks,

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>> Sorry for opening the old discussion again.
>>
>> If you don't ML logs in local, please see the archives:
>>   http://marc.info/?t=114825463100001&r=1&w=2
>>
>> Christopher J. PeBenito wrote:
>>> I agree with James on this, I don't think we want to impose semantics in
>>> the MCS categories, and that this
>>>
>>>> Another possibility is to have the ability to configure which categories are 
>>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>>> difficult to read a config file that maps the domain of a daemon to the range 
>>>> that should be granted to it.
>>> is useful so that if users do want to run a daemon with categories, they
>>> can.
>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
> 
> Shall we start to implement an extention of run_init and others based on
> the above Russell's idea?
> 
> Now, I have a plan to store configuration files at:
>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
>    or
>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
> 
> and, add a new option to run_init as:
>   run_init [-n <daemon>] <script> [<args> ...]
> 
>   It intends to see the per-daemon default range, instead of the initrc_contexts.
> 
> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
> when the given daemon has its own range.)
> 
> The last also need to have a discussion in the Fedora developer's list.
> Dan, do you think it is a hopefull proposition?
> 
> Thanks,
> 
>> If we could start the init-scripts via runcon by hand, it seems to me the
>> daemon processes performs with multi categories.
>>
>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>>  | Stopping httpd:                                            [  OK  ]
>>  | Starting httpd:                                            [  OK  ]
>>  | [root@saba ~]# ps -AZ | grep httpd
>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>>  |      :
>>
>> But it is unavailable when the system kicks init-script on startup time.
>> Is there any good idea?
>>
>> In the recent days, I'm working for an apache module (mod_selinux.so) which
>> launches web application handler under an individual security context based
>> on http-authentication.
>> I'm looking for the way to assign a few dozens of categories on httpd server
>> processes which are launched at system startup time.
>>
>> Thanks,
> 
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: selinux-daemon-mcs-run_init.patch --]
[-- Type: text/x-patch, Size: 2541 bytes --]

diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 9db766c..e4442a3 100644
--- a/policycoreutils/run_init/run_init.c
+++ b/policycoreutils/run_init/run_init.c
@@ -338,12 +338,64 @@ int get_init_context(security_context_t * context)
 
 }				/* get_init_context() */
 
+/*
+ * fuxup_daemon_context()
+ *
+ * Fixup the range of CONTEXT based on per-daemon setups
+ *
+ * in:		The original CONTEXT
+ * out:		The modified CONTEXT, if necessary.
+ * return:	The modified CONTEXT, or NULL if error.
+ */
+static security_context_t
+fixup_daemon_context(security_context_t oldcon, const char *daemon)
+{
+	FILE *fp;
+	const char *whitespace = " \f\n\r\t\v";
+	char filename[PATH_MAX], buf[255];
+	security_context_t newcon = oldcon;
+
+	snprintf(filename, sizeof(filename) - 1, "%s/initrc/%s",
+		 selinux_contexts_path(), daemon);
+	fp = fopen(filename, "r");
+	if (!fp)
+		return oldcon;	/* no need to fixup */
+
+	while (1) {		/* loop until we find a non-empty line */
+		context_t context;
+		char *range;
+
+		if (!fgets(buf, sizeof(buf), fp))
+			break;
+
+		range = strtok(buf, whitespace);
+		if (!range)
+			continue;
+
+		newcon = NULL;
+		if (strtok(NULL, whitespace))
+			break;
+
+		context = context_new(oldcon);
+		if (!context)
+			break;
+
+		if (context_range_set(context, range))
+			break;
+
+		newcon = context_str(context);
+		break;
+	}
+	fclose(fp);
+	return newcon;
+}
+
 /*****************************************************************************
  * main()                                                                    *
  *****************************************************************************/
 int main(int argc, char *argv[])
 {
-
+	const char *daemon = NULL;
 	extern char *optarg;	/* used by getopt() for arg strings */
 	extern int opterr;	/* controls getopt() error messages */
 	security_context_t new_context;	/* context for the init script context  */
@@ -372,6 +424,10 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "%s\n", USAGE_STRING);
 		exit(-1);
 	}
+	if (!strcmp("-n", argv[1]) && argv[2] != NULL) {
+		daemon = argv[2];
+		argv += 2;
+	}
 
 	/*
 	 * Step 2:  Authenticate the user.
@@ -388,6 +444,14 @@ int main(int argc, char *argv[])
 #ifdef CANTSPELLGDB
 		printf("context is %s\n", new_context);
 #endif
+		if (daemon) {
+			new_context = fixup_daemon_context(new_context, daemon);
+			if (!new_context)
+				exit(-1);
+#ifdef CANTSPELLGDB
+			printf("modified context is %s\n", new_context);
+#endif
+		}
 	} else {
 		exit(-1);
 	}

[-- Attachment #3: selinux-daemon-mcs-rc-script.patch --]
[-- Type: text/x-patch, Size: 936 bytes --]

--- /etc/rc.d/rc.orig	2009-04-21 09:48:27.000000000 +0900
+++ /etc/rc.d/rc	2009-04-22 17:16:57.000000000 +0900
@@ -18,6 +18,17 @@
 	return 0
 }
 
+# SELinux init range
+selinux_init_range ()
+{
+	. /etc/selinux/config
+
+	test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled || return
+	test -r /etc/selinux/${SELINUXTYPE}/contexts/initrc/$1 || return
+
+	cat /etc/selinux/${SELINUXTYPE}/contexts/initrc/$1
+}
+
 # Now find out what the current and what the previous runlevel are.
 argv1="$1"
 set `/sbin/runlevel`
@@ -97,7 +108,14 @@
 		export LC_ALL=C
 		exec $i start
 	fi
-	$i start
+	# SELinux range to be launched
+	range=`selinux_init_range $subsys`
+	if [ -n "$range" -a -x /usr/bin/runcon ]; then
+		/usr/bin/runcon -l $range -- $i start
+		echo "$1 was launched as $range"
+	else
+		$i start
+	fi
 	[ -n "$UPSTART" ] && initctl emit --quiet "started $subsys"
 done
 [ "$do_confirm" = "yes" ] && rm -f /var/run/confirm

Re: daemons and MCS categories

[KaiGai Kohei]

Are anyone interested in the daemon process with mcs categories?

My proposition tries to cover general daemon processes, but my
major concern is apache/httpd performing without any categories.
If we focus on the apache/httpd, we can add the following policy
within the mod_selinux.pp, and it enables to run httpd_t with
mcs categories.

  optional_policy(`
      init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
  ')

The mod_selinux.so is an apache/httpd module which enables to
change its own security context prior to launching contents
handler. We can set up the module to drop all the categories
for unauthorized http clients, and rest of requests to perform
with appropriate categories.

The above rule will be available only when mod_selinux is installed.
I don't think it gives any impact for existing stuffs.

Any comments?

KaiGai Kohei wrote:
> The attached patch is a proof-of-concept for the facility to launch
> daemon processes with a certaon mcs ranges.
> 
> The selinux-daemon-mcs-run_init.patch add run_init a new option which
> specifies the name of daemon.
> 
>   # run_init -n httpd /etc/init.d/httpd restart
> 
> When -n option is given, run_init lookups under the
> /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
> range to be assigned on the init script.
> 
>   [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
>   s0-s0:c0.c31
>   [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
>   Authenticating kaigai.
>   Password:
>   Stopping httpd:                                            [  OK  ]
>   Starting httpd:                                            [  OK  ]
>   [root@saba run_init]# ps -AZ | grep httpd
>   system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
>   system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
>   system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
>   system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
>   system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
>      :
> 
> The selinux-daemon-mcs-rc-script.patch is a short hack to the system
> init script. It launches the required script with "runcon -l", if
> per-daemon range is configured.
> 
> These reworks typicall enable web-application (launched by httpd) to
> perform in a certain restrictive category of MCS.
> Currently, mod_selinux's security policy module assigns "mcssetcats"
> on httpd_t, but it is fundamentally denger and nonsense. :(
> 
> So, I would like to see the daemon processes with appropriate categories.
> 
> Thanks,
> 
> KaiGai Kohei wrote:
>> KaiGai Kohei wrote:
>>> Sorry for opening the old discussion again.
>>>
>>> If you don't ML logs in local, please see the archives:
>>>   http://marc.info/?t=114825463100001&r=1&w=2
>>>
>>> Christopher J. PeBenito wrote:
>>>> I agree with James on this, I don't think we want to impose semantics in
>>>> the MCS categories, and that this
>>>>
>>>>> Another possibility is to have the ability to configure which categories are 
>>>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>>>> difficult to read a config file that maps the domain of a daemon to the range 
>>>>> that should be granted to it.
>>>> is useful so that if users do want to run a daemon with categories, they
>>>> can.
>>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
>> Shall we start to implement an extention of run_init and others based on
>> the above Russell's idea?
>>
>> Now, I have a plan to store configuration files at:
>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
>>    or
>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
>>
>> and, add a new option to run_init as:
>>   run_init [-n <daemon>] <script> [<args> ...]
>>
>>   It intends to see the per-daemon default range, instead of the initrc_contexts.
>>
>> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
>> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
>> when the given daemon has its own range.)
>>
>> The last also need to have a discussion in the Fedora developer's list.
>> Dan, do you think it is a hopefull proposition?
>>
>> Thanks,
>>
>>> If we could start the init-scripts via runcon by hand, it seems to me the
>>> daemon processes performs with multi categories.
>>>
>>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>>>  | Stopping httpd:                                            [  OK  ]
>>>  | Starting httpd:                                            [  OK  ]
>>>  | [root@saba ~]# ps -AZ | grep httpd
>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>>>  |      :
>>>
>>> But it is unavailable when the system kicks init-script on startup time.
>>> Is there any good idea?
>>>
>>> In the recent days, I'm working for an apache module (mod_selinux.so) which
>>> launches web application handler under an individual security context based
>>> on http-authentication.
>>> I'm looking for the way to assign a few dozens of categories on httpd server
>>> processes which are launched at system startup time.
>>>
>>> Thanks,

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[Christopher J. PeBenito]

On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote:
> Are anyone interested in the daemon process with mcs categories?
> 
> My proposition tries to cover general daemon processes, but my
> major concern is apache/httpd performing without any categories.
> If we focus on the apache/httpd, we can add the following policy
> within the mod_selinux.pp, and it enables to run httpd_t with
> mcs categories.
> 
>   optional_policy(`
>       init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>   ')
> 
> The mod_selinux.so is an apache/httpd module which enables to
> change its own security context prior to launching contents
> handler. We can set up the module to drop all the categories
> for unauthorized http clients, and rest of requests to perform
> with appropriate categories.
> 
> The above rule will be available only when mod_selinux is installed.
> I don't think it gives any impact for existing stuffs.

I think we should leave this up to the users.  Apache should only be
given the set of categories which is the union of all of the categories
used by mod_selinux, which can only be determined by the users.

> KaiGai Kohei wrote:
> > The attached patch is a proof-of-concept for the facility to launch
> > daemon processes with a certaon mcs ranges.
> > 
> > The selinux-daemon-mcs-run_init.patch add run_init a new option which
> > specifies the name of daemon.
> > 
> >   # run_init -n httpd /etc/init.d/httpd restart
> > 
> > When -n option is given, run_init lookups under the
> > /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
> > range to be assigned on the init script.
> > 
> >   [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
> >   s0-s0:c0.c31
> >   [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
> >   Authenticating kaigai.
> >   Password:
> >   Stopping httpd:                                            [  OK  ]
> >   Starting httpd:                                            [  OK  ]
> >   [root@saba run_init]# ps -AZ | grep httpd
> >   system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
> >   system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
> >   system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
> >   system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
> >   system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
> >      :
> > 
> > The selinux-daemon-mcs-rc-script.patch is a short hack to the system
> > init script. It launches the required script with "runcon -l", if
> > per-daemon range is configured.
> > 
> > These reworks typicall enable web-application (launched by httpd) to
> > perform in a certain restrictive category of MCS.
> > Currently, mod_selinux's security policy module assigns "mcssetcats"
> > on httpd_t, but it is fundamentally denger and nonsense. :(
> > 
> > So, I would like to see the daemon processes with appropriate categories.
> > 
> > Thanks,
> > 
> > KaiGai Kohei wrote:
> >> KaiGai Kohei wrote:
> >>> Sorry for opening the old discussion again.
> >>>
> >>> If you don't ML logs in local, please see the archives:
> >>>   http://marc.info/?t=114825463100001&r=1&w=2
> >>>
> >>> Christopher J. PeBenito wrote:
> >>>> I agree with James on this, I don't think we want to impose semantics in
> >>>> the MCS categories, and that this
> >>>>
> >>>>> Another possibility is to have the ability to configure which categories are 
> >>>>> assigned to a daemon via run_init or some similar program.  It would not be 
> >>>>> difficult to read a config file that maps the domain of a daemon to the range 
> >>>>> that should be granted to it.
> >>>> is useful so that if users do want to run a daemon with categories, they
> >>>> can.
> >>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
> >> Shall we start to implement an extention of run_init and others based on
> >> the above Russell's idea?
> >>
> >> Now, I have a plan to store configuration files at:
> >>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
> >>    or
> >>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
> >>
> >> and, add a new option to run_init as:
> >>   run_init [-n <daemon>] <script> [<args> ...]
> >>
> >>   It intends to see the per-daemon default range, instead of the initrc_contexts.
> >>
> >> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
> >> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
> >> when the given daemon has its own range.)
> >>
> >> The last also need to have a discussion in the Fedora developer's list.
> >> Dan, do you think it is a hopefull proposition?
> >>
> >> Thanks,
> >>
> >>> If we could start the init-scripts via runcon by hand, it seems to me the
> >>> daemon processes performs with multi categories.
> >>>
> >>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
> >>>  | Stopping httpd:                                            [  OK  ]
> >>>  | Starting httpd:                                            [  OK  ]
> >>>  | [root@saba ~]# ps -AZ | grep httpd
> >>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
> >>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
> >>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
> >>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
> >>>  |      :
> >>>
> >>> But it is unavailable when the system kicks init-script on startup time.
> >>> Is there any good idea?
> >>>
> >>> In the recent days, I'm working for an apache module (mod_selinux.so) which
> >>> launches web application handler under an individual security context based
> >>> on http-authentication.
> >>> I'm looking for the way to assign a few dozens of categories on httpd server
> >>> processes which are launched at system startup time.
> >>>
> >>> Thanks,
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote:
>> Are anyone interested in the daemon process with mcs categories?
>>
>> My proposition tries to cover general daemon processes, but my
>> major concern is apache/httpd performing without any categories.
>> If we focus on the apache/httpd, we can add the following policy
>> within the mod_selinux.pp, and it enables to run httpd_t with
>> mcs categories.
>>
>>   optional_policy(`
>>       init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>>   ')
>>
>> The mod_selinux.so is an apache/httpd module which enables to
>> change its own security context prior to launching contents
>> handler. We can set up the module to drop all the categories
>> for unauthorized http clients, and rest of requests to perform
>> with appropriate categories.
>>
>> The above rule will be available only when mod_selinux is installed.
>> I don't think it gives any impact for existing stuffs.
> 
> I think we should leave this up to the users.  Apache should only be
> given the set of categories which is the union of all of the categories
> used by mod_selinux, which can only be determined by the users.

Yes, I also think it is more preferable than (mostly) wired mcs_systemhigh.
However, the matter is the way to start up httpd with certain categories.
The run_init invokes all the daemon process with a security context
configured in /etc/selinux/$POLICYTYPE/contexts/initrc_context, and
the case when system startup script kicks them also does not care anything.

What is a preferable idea?

Here is one other idea I noticed yesterday.
1. The mod_selinux package installs mod_selinux.pp which adds a range_transition
   rule to mcs_systemhigh on httpd_t and httpd_exec_t as I noted above.
2. The mod_selinux.so (loadable module for httpd) drops unnecessary categories
   at the ap_run_post_config() hook which gives modules a change to verify
   global configuration.

It is Apache/httpd specific solution, but 99% of my concern will be solved.

Thanks,

>> KaiGai Kohei wrote:
>>> The attached patch is a proof-of-concept for the facility to launch
>>> daemon processes with a certaon mcs ranges.
>>>
>>> The selinux-daemon-mcs-run_init.patch add run_init a new option which
>>> specifies the name of daemon.
>>>
>>>   # run_init -n httpd /etc/init.d/httpd restart
>>>
>>> When -n option is given, run_init lookups under the
>>> /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
>>> range to be assigned on the init script.
>>>
>>>   [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
>>>   s0-s0:c0.c31
>>>   [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
>>>   Authenticating kaigai.
>>>   Password:
>>>   Stopping httpd:                                            [  OK  ]
>>>   Starting httpd:                                            [  OK  ]
>>>   [root@saba run_init]# ps -AZ | grep httpd
>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
>>>      :
>>>
>>> The selinux-daemon-mcs-rc-script.patch is a short hack to the system
>>> init script. It launches the required script with "runcon -l", if
>>> per-daemon range is configured.
>>>
>>> These reworks typicall enable web-application (launched by httpd) to
>>> perform in a certain restrictive category of MCS.
>>> Currently, mod_selinux's security policy module assigns "mcssetcats"
>>> on httpd_t, but it is fundamentally denger and nonsense. :(
>>>
>>> So, I would like to see the daemon processes with appropriate categories.
>>>
>>> Thanks,
>>>
>>> KaiGai Kohei wrote:
>>>> KaiGai Kohei wrote:
>>>>> Sorry for opening the old discussion again.
>>>>>
>>>>> If you don't ML logs in local, please see the archives:
>>>>>   http://marc.info/?t=114825463100001&r=1&w=2
>>>>>
>>>>> Christopher J. PeBenito wrote:
>>>>>> I agree with James on this, I don't think we want to impose semantics in
>>>>>> the MCS categories, and that this
>>>>>>
>>>>>>> Another possibility is to have the ability to configure which categories are 
>>>>>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>>>>>> difficult to read a config file that maps the domain of a daemon to the range 
>>>>>>> that should be granted to it.
>>>>>> is useful so that if users do want to run a daemon with categories, they
>>>>>> can.
>>>>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
>>>> Shall we start to implement an extention of run_init and others based on
>>>> the above Russell's idea?
>>>>
>>>> Now, I have a plan to store configuration files at:
>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
>>>>    or
>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
>>>>
>>>> and, add a new option to run_init as:
>>>>   run_init [-n <daemon>] <script> [<args> ...]
>>>>
>>>>   It intends to see the per-daemon default range, instead of the initrc_contexts.
>>>>
>>>> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
>>>> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
>>>> when the given daemon has its own range.)
>>>>
>>>> The last also need to have a discussion in the Fedora developer's list.
>>>> Dan, do you think it is a hopefull proposition?
>>>>
>>>> Thanks,
>>>>
>>>>> If we could start the init-scripts via runcon by hand, it seems to me the
>>>>> daemon processes performs with multi categories.
>>>>>
>>>>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>>>>>  | Stopping httpd:                                            [  OK  ]
>>>>>  | Starting httpd:                                            [  OK  ]
>>>>>  | [root@saba ~]# ps -AZ | grep httpd
>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>>>>>  |      :
>>>>>
>>>>> But it is unavailable when the system kicks init-script on startup time.
>>>>> Is there any good idea?
>>>>>
>>>>> In the recent days, I'm working for an apache module (mod_selinux.so) which
>>>>> launches web application handler under an individual security context based
>>>>> on http-authentication.
>>>>> I'm looking for the way to assign a few dozens of categories on httpd server
>>>>> processes which are launched at system startup time.
>>>>>
>>>>> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
>> On Mon, 2009-05-11 at 14:11 +0900, KaiGai Kohei wrote:
>>> Are anyone interested in the daemon process with mcs categories?
>>>
>>> My proposition tries to cover general daemon processes, but my
>>> major concern is apache/httpd performing without any categories.
>>> If we focus on the apache/httpd, we can add the following policy
>>> within the mod_selinux.pp, and it enables to run httpd_t with
>>> mcs categories.
>>>
>>>   optional_policy(`
>>>       init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>>>   ')
>>>
>>> The mod_selinux.so is an apache/httpd module which enables to
>>> change its own security context prior to launching contents
>>> handler. We can set up the module to drop all the categories
>>> for unauthorized http clients, and rest of requests to perform
>>> with appropriate categories.
>>>
>>> The above rule will be available only when mod_selinux is installed.
>>> I don't think it gives any impact for existing stuffs.
>> I think we should leave this up to the users.  Apache should only be
>> given the set of categories which is the union of all of the categories
>> used by mod_selinux, which can only be determined by the users.
> 
> Yes, I also think it is more preferable than (mostly) wired mcs_systemhigh.
> However, the matter is the way to start up httpd with certain categories.
> The run_init invokes all the daemon process with a security context
> configured in /etc/selinux/$POLICYTYPE/contexts/initrc_context, and
> the case when system startup script kicks them also does not care anything.
> 
> What is a preferable idea?
> 
> Here is one other idea I noticed yesterday.
> 1. The mod_selinux package installs mod_selinux.pp which adds a range_transition
>    rule to mcs_systemhigh on httpd_t and httpd_exec_t as I noted above.
> 2. The mod_selinux.so (loadable module for httpd) drops unnecessary categories
>    at the ap_run_post_config() hook which gives modules a change to verify
>    global configuration.
> 
> It is Apache/httpd specific solution, but 99% of my concern will be solved.

I tried to implement the idea, and it seems to me it works correctly.
  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#123

o /etc/httpd/conf.d/mod_selinux.conf
    :
  selinuxServerDomain     *:s0-s0:c0.c15
    :

  This global directive specifies a domain/range pair to be performed as.

o /var/log/httpd/error_log
      :
  [Wed May 13 12:48:32 2009] [notice] SELinux policy enabled; \
    httpd running as context system_u:system_r:httpd_t:s0-s0:c0.c1023
      :
  [Wed May 13 12:48:32 2009] [debug] mod_selinux.c(154): SELinux: \
    replace server domain: system_u:system_r:httpd_t:s0-s0:c0.c1023/*:s0-s0:c0.c15
      :

  The log message said the apache/httpd was initially started up with
  system_u:system_r:httpd_t:s0-s0:c0.c1023, then mod_selinux dropped
  unnecessary categories according to the selinuxServerDomain .
  (mod_selinux.pp add a range_transition rule.)

o ps -AZ
  [root@saba ~]# ps -AZ | grep httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2994 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2997 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2998 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 2999 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3000 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3001 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3002 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3003 ?  00:00:00 httpd
  system_u:system_r:httpd_t:s0-s0:c0.c15 3004 ?  00:00:00 httpd

  It can assign content handler a category between c0 and c15
  based on the http authentication.

I think 80% of the package is ready to push for Fedora Project.
The remaining issue is the following ugly policy:
  http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if

If possible, I would like services/apache.if to provide an interface to
assign minimum set of privileges to perform as a part of httpd process.
It enables web-application authors to focus on access controls for
web contents.

Thanks,

> Thanks,
> 
>>> KaiGai Kohei wrote:
>>>> The attached patch is a proof-of-concept for the facility to launch
>>>> daemon processes with a certaon mcs ranges.
>>>>
>>>> The selinux-daemon-mcs-run_init.patch add run_init a new option which
>>>> specifies the name of daemon.
>>>>
>>>>   # run_init -n httpd /etc/init.d/httpd restart
>>>>
>>>> When -n option is given, run_init lookups under the
>>>> /etc/selinux/<policy type>/contexts/initrc/<daemon>, and replaces the
>>>> range to be assigned on the init script.
>>>>
>>>>   [root@saba run_init]# cat /etc/selinux/targeted/contexts/initrc/httpd
>>>>   s0-s0:c0.c31
>>>>   [root@saba run_init]# ./run_init -n httpd /etc/init.d/httpd restart
>>>>   Authenticating kaigai.
>>>>   Password:
>>>>   Stopping httpd:                                            [  OK  ]
>>>>   Starting httpd:                                            [  OK  ]
>>>>   [root@saba run_init]# ps -AZ | grep httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11303 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11305 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11308 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11309 ? 00:00:00 httpd
>>>>   system_u:system_r:httpd_t:s0-s0:c0.c31 11310 ? 00:00:00 httpd
>>>>      :
>>>>
>>>> The selinux-daemon-mcs-rc-script.patch is a short hack to the system
>>>> init script. It launches the required script with "runcon -l", if
>>>> per-daemon range is configured.
>>>>
>>>> These reworks typicall enable web-application (launched by httpd) to
>>>> perform in a certain restrictive category of MCS.
>>>> Currently, mod_selinux's security policy module assigns "mcssetcats"
>>>> on httpd_t, but it is fundamentally denger and nonsense. :(
>>>>
>>>> So, I would like to see the daemon processes with appropriate categories.
>>>>
>>>> Thanks,
>>>>
>>>> KaiGai Kohei wrote:
>>>>> KaiGai Kohei wrote:
>>>>>> Sorry for opening the old discussion again.
>>>>>>
>>>>>> If you don't ML logs in local, please see the archives:
>>>>>>   http://marc.info/?t=114825463100001&r=1&w=2
>>>>>>
>>>>>> Christopher J. PeBenito wrote:
>>>>>>> I agree with James on this, I don't think we want to impose semantics in
>>>>>>> the MCS categories, and that this
>>>>>>>
>>>>>>>> Another possibility is to have the ability to configure which categories are 
>>>>>>>> assigned to a daemon via run_init or some similar program.  It would not be 
>>>>>>>> difficult to read a config file that maps the domain of a daemon to the range 
>>>>>>>> that should be granted to it.
>>>>>>> is useful so that if users do want to run a daemon with categories, they
>>>>>>> can.
>>>>>> Is it still unavailable on the current SELinux userspace utilities, isn't it?
>>>>> Shall we start to implement an extention of run_init and others based on
>>>>> the above Russell's idea?
>>>>>
>>>>> Now, I have a plan to store configuration files at:
>>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc/${DAEMON}
>>>>>    or
>>>>>   /etc/selinux/${POLICY_TYPE}/contexts/initrc_contexts with format extensions
>>>>>
>>>>> and, add a new option to run_init as:
>>>>>   run_init [-n <daemon>] <script> [<args> ...]
>>>>>
>>>>>   It intends to see the per-daemon default range, instead of the initrc_contexts.
>>>>>
>>>>> and, add a bit of hacks on the /etc/rc.d/rc script which launches daemon scripts
>>>>> when run-level is changed. (Maybe, it is necessary to launch them via "runcon -l"
>>>>> when the given daemon has its own range.)
>>>>>
>>>>> The last also need to have a discussion in the Fedora developer's list.
>>>>> Dan, do you think it is a hopefull proposition?
>>>>>
>>>>> Thanks,
>>>>>
>>>>>> If we could start the init-scripts via runcon by hand, it seems to me the
>>>>>> daemon processes performs with multi categories.
>>>>>>
>>>>>>  | [root@saba ~]# runcon -l s0-s0:c0.c255 /etc/init.d/httpd restart
>>>>>>  | Stopping httpd:                                            [  OK  ]
>>>>>>  | Starting httpd:                                            [  OK  ]
>>>>>>  | [root@saba ~]# ps -AZ | grep httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6458 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6460 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6461 ? 00:00:00 httpd
>>>>>>  | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 6462 ? 00:00:00 httpd
>>>>>>  |      :
>>>>>>
>>>>>> But it is unavailable when the system kicks init-script on startup time.
>>>>>> Is there any good idea?
>>>>>>
>>>>>> In the recent days, I'm working for an apache module (mod_selinux.so) which
>>>>>> launches web application handler under an individual security context based
>>>>>> on http-authentication.
>>>>>> I'm looking for the way to assign a few dozens of categories on httpd server
>>>>>> processes which are launched at system startup time.
>>>>>>
>>>>>> Thanks,
> 
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[Joe Nall]

On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:

> Are anyone interested in the daemon process with mcs categories?
>
> My proposition tries to cover general daemon processes, but my
> major concern is apache/httpd performing without any categories.
> If we focus on the apache/httpd, we can add the following policy
> within the mod_selinux.pp, and it enables to run httpd_t with
> mcs categories.
>
>  optional_policy(`
>      init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 -  
> mcs_systemhigh)
>  ')
>
> The mod_selinux.so is an apache/httpd module which enables to
> change its own security context prior to launching contents
> handler. We can set up the module to drop all the categories
> for unauthorized http clients, and rest of requests to perform
> with appropriate categories.
>
> The above rule will be available only when mod_selinux is installed.
> I don't think it gives any impact for existing stuffs.
>
> Any comments?

FWIW, we run apache 1.3 out of xinetd at multiple contexts using  
labeled networking. HTTP performance is surprisingly good. HTTPS  
performance is unacceptable, so we are using an HTTPS reverse proxy in  
a DMZ for single level network services to the 'enterprise'.

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

Joe Nall wrote:
> 
> On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:
> 
>> Are anyone interested in the daemon process with mcs categories?
>>
>> My proposition tries to cover general daemon processes, but my
>> major concern is apache/httpd performing without any categories.
>> If we focus on the apache/httpd, we can add the following policy
>> within the mod_selinux.pp, and it enables to run httpd_t with
>> mcs categories.
>>
>>  optional_policy(`
>>      init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 - mcs_systemhigh)
>>  ')
>>
>> The mod_selinux.so is an apache/httpd module which enables to
>> change its own security context prior to launching contents
>> handler. We can set up the module to drop all the categories
>> for unauthorized http clients, and rest of requests to perform
>> with appropriate categories.
>>
>> The above rule will be available only when mod_selinux is installed.
>> I don't think it gives any impact for existing stuffs.
>>
>> Any comments?
> 
> FWIW, we run apache 1.3 out of xinetd at multiple contexts using labeled 
> networking. HTTP performance is surprisingly good. HTTPS performance is 
> unacceptable, so we are using an HTTPS reverse proxy in a DMZ for single 
> level network services to the 'enterprise'.

Are you saying that xinetd can launch multiple apache/httpd daemon processes
with individual security context? If so, unfortunatelly, it is different from
what I would like to achieve. :(

I guess the security context of the daemon process is determined prior to
receiving http-requests come from users, but the security context to be
assigned on web application depends on the authentication-header within
the http-request-headers, so we cannot know who connected to on xinetd time.

Or, are we talking about topics in different layer?

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[Joe Nall]

On May 18, 2009, at 3:31 AM, KaiGai Kohei wrote:

> Joe Nall wrote:
>>
>> On May 11, 2009, at 12:11 AM, KaiGai Kohei wrote:
>>
>>> Are anyone interested in the daemon process with mcs categories?
>>>
>>> My proposition tries to cover general daemon processes, but my
>>> major concern is apache/httpd performing without any categories.
>>> If we focus on the apache/httpd, we can add the following policy
>>> within the mod_selinux.pp, and it enables to run httpd_t with
>>> mcs categories.
>>>
>>> optional_policy(`
>>>     init_ranged_daemon_domain(httpd_t,httpd_exec_t,s0 -  
>>> mcs_systemhigh)
>>> ')
>>>
>>> The mod_selinux.so is an apache/httpd module which enables to
>>> change its own security context prior to launching contents
>>> handler. We can set up the module to drop all the categories
>>> for unauthorized http clients, and rest of requests to perform
>>> with appropriate categories.
>>>
>>> The above rule will be available only when mod_selinux is installed.
>>> I don't think it gives any impact for existing stuffs.
>>>
>>> Any comments?
>>
>> FWIW, we run apache 1.3 out of xinetd at multiple contexts using  
>> labeled
>> networking. HTTP performance is surprisingly good. HTTPS  
>> performance is
>> unacceptable, so we are using an HTTPS reverse proxy in a DMZ for  
>> single
>> level network services to the 'enterprise'.
>
> Are you saying that xinetd can launch multiple apache/httpd daemon  
> processes
> with individual security context?

Yes

> If so, unfortunatelly, it is different from
> what I would like to achieve. :(
>
> I guess the security context of the daemon process is determined  
> prior to
> receiving http-requests come from users, but the security context to  
> be
> assigned on web application depends on the authentication-header  
> within
> the http-request-headers, so we cannot know who connected to on  
> xinetd time.

We are basing the context on the context of the connecting user,  
delivered by either netlabel or labeled IPSec. We are not changing  
context based on apache user authentication.

> Or, are we talking about topics in different layer?

Sounds like it. Just wanted to point out that you might not need to  
trust apache to achieve some of your goals.

joe


>
> Thanks,
> -- 
> OSS Platform Development Division, NEC
> KaiGai Kohei <kaigai@ak.jp.nec.com>
>
> --
> This message was distributed to subscribers of the selinux mailing  
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
>  with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: daemons and MCS categories

[KaiGai Kohei]

>>> FWIW, we run apache 1.3 out of xinetd at multiple contexts using labeled
>>> networking. HTTP performance is surprisingly good. HTTPS performance is
>>> unacceptable, so we are using an HTTPS reverse proxy in a DMZ for single
>>> level network services to the 'enterprise'.
>>
>> Are you saying that xinetd can launch multiple apache/httpd daemon 
>> processes
>> with individual security context?
> 
> Yes
> 
>> If so, unfortunatelly, it is different from
>> what I would like to achieve. :(
>>
>> I guess the security context of the daemon process is determined prior to
>> receiving http-requests come from users, but the security context to be
>> assigned on web application depends on the authentication-header within
>> the http-request-headers, so we cannot know who connected to on xinetd 
>> time.
> 
> We are basing the context on the context of the connecting user, 
> delivered by either netlabel or labeled IPSec. We are not changing 
> context based on apache user authentication.

Understood.

>> Or, are we talking about topics in different layer?
> 
> Sounds like it. Just wanted to point out that you might not need to 
> trust apache to achieve some of your goals.

We need to trust the apache/httpd applies its authentication and
dropping privileges correctly. However, all the new domain is
bounded by httpd_t, so there are no fundamental differences outside
of the httpd_t.

The purpose of this effort is to associate a concept of web-user
and a security context while apache/httpd performs as an agent of
the human-user. So, I would like to restrict a part of privileges
within a set of them allowed to httpd_t.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.