experimental relaxed policy

[Stephen Smalley]

On Sun, 2004-05-02 at 18:49, Colin Walters wrote:
> There has been some work done on a "relaxed" policy.  The intention of
> this policy is to simply protect system daemons, and not user logins. 
> Right now there is just a policy for apache (which doesn't really work
> due to a kernel bug).  Everything else runs in an "unconfined_t" domain,
> which essentially has every SELinux permission, and thus you are back to
> relying on DAC.

IIRC, the problem with apache is simply upon restarting it from an admin
shell; with the current policy, SELinux will close the descriptors to
the admin tty, and apache misbehaves if descriptors 0-2 don't exist.

We have a patch to the SELinux module to change it to re-open
descriptors it closes upon exec to the null device to avoid such
problems.  But in the meantime, there are several options:
1) Change /etc/init.d/httpd to redirect descriptors 0-2 to /dev/null
when starting httpd.
2) Remove noatsecure permission from initrc_t to the daemon domains in
the daemon_base_domain macro in policy/macros/global_macros.te.  This
will cause glibc secure mode to be enabled upon the daemon execution, so
that glibc will itself re-open descriptors 0-2 to /dev/null if they are
closed (but will also cause glibc to perform other sanitization that may
not be appropriate).
3) Allow httpd_t to access the tty/pty; not good for production use, but
ok for experimentation with the policy, e.g.:
allow httpd_t { tty_device_t devpts_t }:chr_file rw_file_perms;

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency