From: kaigai@ak.jp.nec.com (KaiGai Kohei) Date: Fri, 08 May 2009 15:29:25 +0900 Subject: [refpolicy] [PATCH] An interface to allow web-apps minimum privileges (Re: [RFC] mod_selinux security policy) In-Reply-To: <4A025C03.50907@ak.jp.nec.com> References: <49F69A33.2070601@ak.jp.nec.com> <4A025C03.50907@ak.jp.nec.com> Message-ID: <4A03D145.2040901@ak.jp.nec.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The purpose of the attached patch is a proof of the concent, and I don't intend it to be commited soon. This patch provides two new interfaces to apache.if which enables to allow a web application domain shares minimum necessary privileges to perform as a part of the web server process (httpd_t). When we assign an individual security context on a web application handler, it needs to be bounded to httpd_t due to the hardwired constraint for multi-threading process. The mod_selinux.so is a loadable module for apache web server, which enables to assign a bounded security context (based on http authentication) prior to invocations of web application handler. However, it also performs as a part of web server process, so needs minimum necessary privileges to play a role as a web server process, not only web application instance. For example, if web application instance writes out a log message, it means the thread should have a set of privileges to append a record on /var/log/httpd/error_log. Most of the apache_base_webapp() come from apache.te with a bit modification. (So, there is no assurance whether it is really minimum necessary privileges, or not.) It allows a domain to perform as a part of web server process. If we have such kind of interface in the upstream policy, it will enable policy authors to focus on access controls for web contents. What is your opinion? Any comments please, Thanks, KaiGai Kohei wrote: > KaiGai Kohei wrote: >> Folks, >> >> Nowadays, I'm also under development for a loadable module on apache/httpd, >> named as mod_selinux.so. It enables to launch web-applications with an >> individual security context based on http-authenticated users. >> It internally uses a one-time worker thread for each connections to perform >> as a restrictive domain bounded to httpd_t due to the hard-wired rule for >> multi-threading process. >> >> In the LCA2009 demonstration, all we can show was individual MCS category >> per http-users because of lack of TE policy. >> The following ugly policy is an example of TE policy for mod_selinux.so. >> >> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.te >> http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.if >> >> We needed to remain a minimum set of privileges on the bounded domains because >> they also perform as a part of the daemon process, although they are restricted >> to access to the web contents or database objects. >> (Thus, it allows webapp_type to write on log files, for example.) >> >> In my hope, if we can have a interface to assign the minimum set of privileges >> on the bounded domain, it will be helpfull for authors of web applications >> which provide its own security policy. It will enables them to focus on writing >> their policy for web contents. > > One possible idea is to define a new attribute (e.g httpd_server_type) which > contains httpd_t and other domains for built-in web applications. > A minimum set of privileges to perform as a web server process is allowed > on the httpd_server_type, and rest of permissions are allowed on individual > types. > > Or, add a new template/interface to allow minimum privilges to perform as > a web server process (e.g httpd_server_domain), then httpd_t and other > domains for built-in web applications uses this template/interface. > > Anyway, the mod_selinux currently copies and pastes a part of policies for > apache, but it is not basically good due to the code duplication. > > I would like to get any comments prior to the pushing the package to Fedora. > > Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-webapp-interface.patch Type: text/x-patch Size: 6528 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/a2a8c485/attachment-0001.bin