I'm experimenting with SELinux policies again. I've got a test server set
up now, so I have a bit more freedom and flexibility. I have a policy that
is basically working, and wanted to get some feedback on it.
I'm working on designing a security architecture for a Web application we
have under development, and creating an SELinux policy to help implement it.
I would like to prevent any flaws in Apache or the Web application from
leaking access to other HTTP worker processes for current or future
connections, where credentials of other users may be accessible.
The Web server begins in the httpd_t domain, which has somewhat more
privileges than our application needs. For example it has access to the
listening HTTP socket, where it could accept new connections and so access
future connections. I would like to reduce the privileges of the HTTP
worker processes after the connection is accepted but before any user data
has been processed or our application code has been executed.
I have this working with some mod_perl code which hooks into Apache right
after it accepts the connection, and changes its running domain to
httpd_portal_app_t. I did this by allowing a dyntransition from httpd_t to
httpd_portal_app_t, then writing the new context to "/proc/$$/attr/current",
and verified it is working with ps -Z. That domain has a smaller set of
privileges than httpd_t, and is not allowed to do things like accept new
connections, listen on new sockets, read from log files, etc. There is no
rule allowing httpd_portal_app_t to transition back to httpd_t, and after
handling a single connection, the process exits (it is configured with the
Apache option MaxRequestsPerChild 1).
I am still testing and prototyping, but so far this is all working. I have
a few questions, though.
First, I see a lot of warnings in "SELinux by example" and other places on
the Web about how using dyntransition is a bad idea. Is that true in this
case, and if so is there a better way to get a similar degree of isolation
without taking the performance hit that a CGI-based environment would cost?
Second, in RHEL 5, is there a way to constrain my httpd_portal_app_t to have
its permission set bounded by that of httpd_t? That is, so
that httpd_portal_app_t cannot have any privileges that httpd_t does not
have? I see that some versions of SELinux are able to enforce this with the
"typebounds" command, but that doesn't seem to be available in RHEL 5? That
would help me ensure that this domain could only make things more secure,
not less.
Third, since my main goal here is to prevent processes from interacting with
each other inappropriately, I would like to prevent each HTTP worker from
reading any information from "/proc" for other HTTP workers. Currently they
are allowed to do this, because they all run in the same domain. Is there
any way to prevent this?
Finally, if anybody has any thoughts or suggestions from doing similar
applications, your thoughts are appreciated.