Folks,
Nowadays, I'm also under development for a loadable module on apache/httpd,
named as mod_selinux.so. It enables to launch web-applications with an
individual security context based on http-authenticated users.
It internally uses a one-time worker thread for each connections to perform
as a restrictive domain bounded to httpd_t due to the hard-wired rule for
multi-threading process.
In the LCA2009 demonstration, all we can show was individual MCS category
per http-users because of lack of TE policy.
The following ugly policy is an example of TE policy for mod_selinux.so.
http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te
http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if
We needed to remain a minimum set of privileges on the bounded domains because
they also perform as a part of the daemon process, although they are restricted
to access to the web contents or database objects.
(Thus, it allows webapp_type to write on log files, for example.)
In my hope, if we can have a interface to assign the minimum set of privileges
on the bounded domain, it will be helpfull for authors of web applications
which provide its own security policy. It will enables them to focus on writing
their policy for web contents.
Could you tell me your opinions?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[email protected]>
KaiGai Kohei wrote:
> Folks,
>
> Nowadays, I'm also under development for a loadable module on apache/httpd,
> named as mod_selinux.so. It enables to launch web-applications with an
> individual security context based on http-authenticated users.
> It internally uses a one-time worker thread for each connections to perform
> as a restrictive domain bounded to httpd_t due to the hard-wired rule for
> multi-threading process.
>
> In the LCA2009 demonstration, all we can show was individual MCS category
> per http-users because of lack of TE policy.
> The following ugly policy is an example of TE policy for mod_selinux.so.
>
> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te
> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if
>
> We needed to remain a minimum set of privileges on the bounded domains because
> they also perform as a part of the daemon process, although they are restricted
> to access to the web contents or database objects.
> (Thus, it allows webapp_type to write on log files, for example.)
>
> In my hope, if we can have a interface to assign the minimum set of privileges
> on the bounded domain, it will be helpfull for authors of web applications
> which provide its own security policy. It will enables them to focus on writing
> their policy for web contents.
One possible idea is to define a new attribute (e.g httpd_server_type) which
contains httpd_t and other domains for built-in web applications.
A minimum set of privileges to perform as a web server process is allowed
on the httpd_server_type, and rest of permissions are allowed on individual
types.
Or, add a new template/interface to allow minimum privilges to perform as
a web server process (e.g httpd_server_domain), then httpd_t and other
domains for built-in web applications uses this template/interface.
Anyway, the mod_selinux currently copies and pastes a part of policies for
apache, but it is not basically good due to the code duplication.
I would like to get any comments prior to the pushing the package to Fedora.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[email protected]>
The purpose of the attached patch is a proof of the concent, and I don't
intend it to be commited soon.
This patch provides two new interfaces to apache.if which enables to allow
a web application domain shares minimum necessary privileges to perform
as a part of the web server process (httpd_t).
When we assign an individual security context on a web application handler,
it needs to be bounded to httpd_t due to the hardwired constraint for
multi-threading process.
The mod_selinux.so is a loadable module for apache web server, which enables
to assign a bounded security context (based on http authentication) prior to
invocations of web application handler.
However, it also performs as a part of web server process, so needs minimum
necessary privileges to play a role as a web server process, not only web
application instance. For example, if web application instance writes out
a log message, it means the thread should have a set of privileges to append
a record on /var/log/httpd/error_log.
Most of the apache_base_webapp() come from apache.te with a bit modification.
(So, there is no assurance whether it is really minimum necessary privileges,
or not.) It allows a domain to perform as a part of web server process. If we
have such kind of interface in the upstream policy, it will enable policy
authors to focus on access controls for web contents.
What is your opinion? Any comments please,
Thanks,
KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>> Folks,
>>
>> Nowadays, I'm also under development for a loadable module on apache/httpd,
>> named as mod_selinux.so. It enables to launch web-applications with an
>> individual security context based on http-authenticated users.
>> It internally uses a one-time worker thread for each connections to perform
>> as a restrictive domain bounded to httpd_t due to the hard-wired rule for
>> multi-threading process.
>>
>> In the LCA2009 demonstration, all we can show was individual MCS category
>> per http-users because of lack of TE policy.
>> The following ugly policy is an example of TE policy for mod_selinux.so.
>>
>> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te
>> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if
>>
>> We needed to remain a minimum set of privileges on the bounded domains because
>> they also perform as a part of the daemon process, although they are restricted
>> to access to the web contents or database objects.
>> (Thus, it allows webapp_type to write on log files, for example.)
>>
>> In my hope, if we can have a interface to assign the minimum set of privileges
>> on the bounded domain, it will be helpfull for authors of web applications
>> which provide its own security policy. It will enables them to focus on writing
>> their policy for web contents.
>
> One possible idea is to define a new attribute (e.g httpd_server_type) which
> contains httpd_t and other domains for built-in web applications.
> A minimum set of privileges to perform as a web server process is allowed
> on the httpd_server_type, and rest of permissions are allowed on individual
> types.
>
> Or, add a new template/interface to allow minimum privilges to perform as
> a web server process (e.g httpd_server_domain), then httpd_t and other
> domains for built-in web applications uses this template/interface.
>
> Anyway, the mod_selinux currently copies and pastes a part of policies for
> apache, but it is not basically good due to the code duplication.
>
> I would like to get any comments prior to the pushing the package to Fedora.
>
> Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-webapp-interface.patch
Type: text/x-patch
Size: 6528 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/a2a8c485/attachment-0001.bin