Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: Apache 2 file contexts Date: Tue, 8 Oct 2002 16:00:33 +0200
-- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: Apache 2 file contexts Date: Tue, 8 Oct 2002 19:06:13 +0200
Good work! You not only got it working with apache2 but fixed a couple of things I missed in getting it to work properly with Debian! If you'd like to make Apache your thing then you could start working on the policy for Apache, there's quite a few things that could be improved. For starters a set of macros for different features commonly used with Apache would be good. Something like define(`apache_php') for using PHP, etc would be really handy to have. Also we'll probably need support for multiple user domains for cgi-bin scripts. Apache policy would be a starter project for someone who wants to get seriously involved in SE Linux (I think that you do). The Apache policy was written in the early days and hasn't benefited from the re-writes that have covered most of the other policy. I haven't done anything serious with it as it's functional enough that I was not forced to, but ugly enough that I didn't want to... Anyway I've updated my tree with the equivalent code to your patch (I've changed the order a bit but it's essentially what you wrote). I'll send in a patch to Steve tomorrow.
> + /etc/vhosts system_u:object_r:httpd_config_t What is /etc/vhosts? I've never used Apache2... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Tom <tom_at_lemuria.org> subject: Re: Apache 2 file contexts Date: Wed, 9 Oct 2002 12:29:35 +0200
Thought so, but I wasn't sure. :)
> If you'd like to make Apache your thing then you could start working on the I will definitely work further on Apache, especially the PHP/CGI part and interaction with proftpd (so users can upload stuff and it automatically gets the right types).
> Anyway I've updated my tree with the equivalent code to your patch (I've
I have no idea, actually. I've just started working with Apache2. I
will find out soon, though, and then decide if it warrants its own
type.
-- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Tom <tom_at_lemuria.org> subject: Re: Apache 2 file contexts Date: Wed, 9 Oct 2002 17:25:04 +0200
Oct 9 19:16:20 nsa2 kernel: avc: denied { read } for pid=5347 exe=/usr/sbin/apache2 path=/1 dev=00:07 ino=3 scontext=system_u:system_r:httpd_t tcontext=tom:object_r:sysadm_devpts_t tclass=chr_file piping that into newrules tells me: allow httpd_t sysadm_devpts_t:chr_file { read };
Which to my (still somewhat green) ears doesn't sound like a
tremendously great idea.
-- Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
-- subject: Re: Apache 2 file contexts Date: Wed, 9 Oct 2002 21:34:29 +0200
Most daemons do that. This is because they inherit file handles 0, 1, and 2 (stdin, stdout, stderr) from the shell. Some daemons can survive without such access, but many (most) can't. In my tree for many daemons I have something like the following: allow daemon_t admin_tty_type:chr_file { read write }; I am going to devise a different solution to this, see the list archives for my previous messages on the topic. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |