From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Joshua Roys <joshua.roys@gtri.gatech.edu>
Cc: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: Re: [RFC][PATCH] mod_selinux: setcon earlier
Date: Mon, 08 Mar 2010 15:42:58 +0900 [thread overview]
Message-ID: <4B949C72.4040104@ak.jp.nec.com> (raw)
In-Reply-To: <4B917BCF.7060200@gtri.gatech.edu>
(2010/03/06 6:46), Joshua Roys wrote:
> Hello,
>
> I am wondering if the attached patch creates the actual intended
> behavior? Specifically, at which point httpd calls setcon() when the
> selinuxServerDomain option is set.
>
> The current code ends up calling setcon after sockets have been opened,
> at least if the prefork mpm is in use. Here's the current path: apache
> calls these hooks in this order: pre_config, check_config, open_logs,
> post_config. The prefork mpm opens the listening sockets in open_logs,
> and mod_selinux does setcon() in post_config. However, I noticed that
> the selinuxServerDomain option has the EXEC_ON_READ option set... and I
> noticed issues with labeled networking having the setcon() called after
> the listening sockets are opened.
Hmm. The purpose of selinuxServerDomain allows to drop unnecessary
categories on the starting up time, although mod_selinux.pp set it
to translate into 's0 - mcs_systemhigh'. So, the listener sockets
also should be created in the configured domain.
It seems to me what you pointed out is fair enough.
However, I cannot agree to change security context of the server
which it parses the configuration file, because we can call setcon()
in the open_logs hook earlier than listener sockets are created using
APR_HOOK_FIRST, not APR_HOOK_MIDDLE.
Thanks,
> The attached patch deletes (well, in this version just comments out...)
> the mod_selinux post_config hook, and calls the routine directly from
> the set_server_domain option-processing hook. This, because of the
> EXEC_ON_READ option, is executed immediately upon finding a
> selinuxServerDomain option in a httpd config file. Thus, setcon() is
> called before sockets are opened.
>
> Josh
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-03-08 6:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-05 21:46 [RFC][PATCH] mod_selinux: setcon earlier Joshua Roys
2010-03-08 6:42 ` KaiGai Kohei [this message]
2010-03-08 21:22 ` Joshua Roys
2010-03-09 1:02 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B949C72.4040104@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=joshua.roys@gtri.gatech.edu \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.