-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2011 05:59 PM, Dominick Grift wrote:
On 02/20/2011 06:31 AM, Scott Gifford wrote:
On Mon, Jan 17, 2011 at 11:27 PM, Scott Gifford sgifford@suspectclass.comwrote:
On Mon, Jan 17, 2011 at 2:45 PM, Daniel J Walsh dwalsh@redhat.com wrote: [ ... ]
Third, since my main goal here is to prevent processes from interacting
with
each other inappropriately, I would like to prevent each HTTP worker
from
reading any information from "/proc" for other HTTP workers. Currently
they
are allowed to do this, because they all run in the same domain. Is
there
any way to prevent this?
libvirt and sandbox use MCS separation for this. Basically they grab random MCS labels to separate the processes. I would suggest using two Categories, s0:c0-c1023,c0-1023 and make sure they are never the same.
s0:c1,c43 s0:c2,c43
Is fine.
s0:c1,c1 is not
Then just set that context and you should get separation. if you need the processes to handle data it might get a little more complicated.
Thanks! I think I will need to learn a little more about this feature before I can use it. I will need a way to generate a unique category number (maybe from the PID?), and the processes will need to handle some shared data and code, so I will need to figure that out as well.
OK, so I have started experimenting with this, but /proc is not behaving how I expect so far.
So I open up two shells. In the first I run:
runcon -l s0-s0:c0,c1 bash
and in the second:
runcon -l s0-s0:c0,c2 bash
So both should have access to c1, but only the first will have access to c1 and only the second will have access to c2.
s0-s0:c0,c2 should not have access to c1
but
s0-s0:c0,c2 should
Err.. i meant: s0-s0:c0.c2 should
. signals a range (so c0.c2 means c0, c1 and c2). , is just a seperator (so c0,c2 mean c0 and c2).
When I try this on files, it works:
shell1$ *id -Z* user_u:system_r:unconfined_t:-s0:c0,c1 shell1$ *ls -lZ test.c1 test.c2* -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c1 test.c1 -rw-rw-r-- sgifford sgifford user_u:object_r:user_home_t:s0:c2 test.c2 shell1$ *head -1 test.c1 test.c2* ==> test.c1 <== Category 1 head: cannot open `test.c2' for reading: Permission denied
But on /proc files it does not:
shell1$ *id -Z* user_u:system_r:unconfined_t:-s0:c0,c1 shell1$ *ls -lZ /proc/10961/maps* -r--r--r-- sgifford sgifford user_u:system_r:unconfined_t:-s0:c0,c2 /proc/10961/maps shell1$ *head -1 /proc/10961/maps* 002ac000-002ad000 r-xp 002ac000 00:00 0 [vdso]
from /policy/mcs:
# Note: # - getattr on dirs/files is not constrained. # - /proc/pid operations are not constrained.
so that explains the above
That is, even though "ls -lZ" indicates that the maps file for PID 10961 requires c2 and my shell does not have c2, still I am allowed to read this file.
I must be misunderstanding something here. Any thoughts or hints?
Thanks!
-----Scott.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux