[RFC][PATCH] mod_selinux: setcon earlier

[RFC][PATCH] mod_selinux: setcon earlier

[Joshua Roys]

[-- Attachment #1.1: Type: text/plain, Size: 1133 bytes --]

Hello,

I am wondering if the attached patch creates the actual intended 
behavior?  Specifically, at which point httpd calls setcon() when the 
selinuxServerDomain option is set.

The current code ends up calling setcon after sockets have been opened, 
at least if the prefork mpm is in use.  Here's the current path: apache 
calls these hooks in this order: pre_config, check_config, open_logs, 
post_config.  The prefork mpm opens the listening sockets in open_logs, 
and mod_selinux does setcon() in post_config.  However, I noticed that 
the selinuxServerDomain option has the EXEC_ON_READ option set...  and I 
noticed issues with labeled networking having the setcon() called after 
the listening sockets are opened.

The attached patch deletes (well, in this version just comments out...) 
the mod_selinux post_config hook, and calls the routine directly from 
the set_server_domain option-processing hook.  This, because of the 
EXEC_ON_READ option, is executed immediately upon finding a 
selinuxServerDomain option in a httpd config file.  Thus, setcon() is 
called before sockets are opened.

Josh

[-- Attachment #1.2: setcon-earlier.diff --]
[-- Type: text/plain, Size: 641 bytes --]

--- mod_selinux.c.old	2010-03-03 11:40:14.886608228 -0500
+++ mod_selinux.c	2010-03-03 11:40:19.019609063 -0500
@@ -394,8 +394,10 @@
     if (is_selinux_enabled() < 1)
         return;
 
+/*
     ap_hook_post_config(selinux_post_config,
                         NULL, NULL, APR_HOOK_MIDDLE);
+*/
     ap_hook_post_read_request(selinux_post_read_request,
                               NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_handler(selinux_handler,
@@ -470,6 +472,8 @@
 {
     server_domain = apr_pstrdup(cmd->pool, v1);
 
+    selinux_post_config(NULL, NULL, cmd->temp_pool, cmd->server);
+
     return NULL;
 }
 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2719 bytes --]

Re: [RFC][PATCH] mod_selinux: setcon earlier

[KaiGai Kohei]

(2010/03/06 6:46), Joshua Roys wrote:
> Hello,
> 
> I am wondering if the attached patch creates the actual intended 
> behavior? Specifically, at which point httpd calls setcon() when the 
> selinuxServerDomain option is set.
> 
> The current code ends up calling setcon after sockets have been opened, 
> at least if the prefork mpm is in use. Here's the current path: apache 
> calls these hooks in this order: pre_config, check_config, open_logs, 
> post_config. The prefork mpm opens the listening sockets in open_logs, 
> and mod_selinux does setcon() in post_config. However, I noticed that 
> the selinuxServerDomain option has the EXEC_ON_READ option set... and I 
> noticed issues with labeled networking having the setcon() called after 
> the listening sockets are opened.

Hmm. The purpose of selinuxServerDomain allows to drop unnecessary
categories on the starting up time, although mod_selinux.pp set it
to translate into 's0 - mcs_systemhigh'. So, the listener sockets
also should be created in the configured domain.
It seems to me what you pointed out is fair enough.

However, I cannot agree to change security context of the server
which it parses the configuration file, because we can call setcon()
in the open_logs hook earlier than listener sockets are created using
APR_HOOK_FIRST, not APR_HOOK_MIDDLE.

Thanks,

> The attached patch deletes (well, in this version just comments out...) 
> the mod_selinux post_config hook, and calls the routine directly from 
> the set_server_domain option-processing hook. This, because of the 
> EXEC_ON_READ option, is executed immediately upon finding a 
> selinuxServerDomain option in a httpd config file. Thus, setcon() is 
> called before sockets are opened.
> 
> Josh

-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] mod_selinux: setcon earlier

[Joshua Roys]

[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]

On 03/08/2010 01:42 AM, KaiGai Kohei wrote:
>> The current code ends up calling setcon after sockets have been opened,
...
>> noticed issues with labeled networking having the setcon() called after
>> the listening sockets are opened.
> 
> Hmm. The purpose of selinuxServerDomain allows to drop unnecessary
> categories on the starting up time, although mod_selinux.pp set it
> to translate into 's0 - mcs_systemhigh'. So, the listener sockets
> also should be created in the configured domain.
> It seems to me what you pointed out is fair enough.
> 
> However, I cannot agree to change security context of the server
> which it parses the configuration file, because we can call setcon()
> in the open_logs hook earlier than listener sockets are created using
> APR_HOOK_FIRST, not APR_HOOK_MIDDLE.
> 
> Thanks,
> 

Hello,

Do you mean instead of mod_selinux hooking post_config, it would now
hook open_logs?  If so, I think you would have to use something like:
(APR_HOOK_REALLY_FIRST-1), because prefork.c hooks open_logs using
REALLY_FIRST...

Thanks,

Josh


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2719 bytes --]

Re: [RFC][PATCH] mod_selinux: setcon earlier

[KaiGai Kohei]

(2010/03/09 6:22), Joshua Roys wrote:
> On 03/08/2010 01:42 AM, KaiGai Kohei wrote:
>>> The current code ends up calling setcon after sockets have been opened,
> ...
>>> noticed issues with labeled networking having the setcon() called after
>>> the listening sockets are opened.
>>
>> Hmm. The purpose of selinuxServerDomain allows to drop unnecessary
>> categories on the starting up time, although mod_selinux.pp set it
>> to translate into 's0 - mcs_systemhigh'. So, the listener sockets
>> also should be created in the configured domain.
>> It seems to me what you pointed out is fair enough.
>>
>> However, I cannot agree to change security context of the server
>> which it parses the configuration file, because we can call setcon()
>> in the open_logs hook earlier than listener sockets are created using
>> APR_HOOK_FIRST, not APR_HOOK_MIDDLE.
>>
>> Thanks,
>>
> 
> Hello,
> 
> Do you mean instead of mod_selinux hooking post_config, it would now
> hook open_logs?  If so, I think you would have to use something like:
> (APR_HOOK_REALLY_FIRST-1), because prefork.c hooks open_logs using
> REALLY_FIRST...

Yes, not only prefork, all the supported MPM engine does it in this manner.
As long as we are in apache/httpd-2.2.x series, this hack will be needed.

In the upcoming apache/httpd-2.4.x series, it allows to implement MPM
engine with actually loadable module, so we will be able to avoid this
kind of hacks with multi processing behavior suitable for selinux...

Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.