web-controlled system

Florin Andrei florin at andrei.myip.org
Fri Jun 3 17:16:30 UTC 2005 

On Fri, 2005-06-03 at 17:46 +1000, Russell Coker wrote:
> On Friday 03 June 2005 17:27, Florin Andrei <florin at andrei.myip.org> wrote:
> > On Fri, 2005-06-03 at 16:29 +1000, Russell Coker wrote:
> > > Probably the easiest solution will be to have Apache or the CGI-BIN
> > > script in question running unconfined.
> >
> > True, but I'd like to avoid that.
> 
> If Apache can change system configuration files and restart daemons then 
> what's the point of trying to restrict it?  Using Apache to configure the 
> system to boot without SE Linux enabled should be easy enough.

It's not supposed to change everything. The system will be a "black box"
to the users who have access to it solely through the Web interface, but
that interface is not all-powerful. Some daemons can be tweaked, some
system parameters can be changed, but the interface will not and should
not have discretionary powers.

I'd like to retain some of the protection offered by SELinux.

> The problem you face is how to change the labels on some file so that 
> Apache can write to them but not grant Apache write to too many things.  If 
> your requirement is "control everything over the web" then this may not be a 
> solvable problem.

Ok, I see. My mistake - the interface doesn't control everything.

I'm thinking about this: how about I leave the policy alone, create a
small daemon (in Perl, whatever) that's listening on a Unix socket, then
the Web interface is just passing the commands to the daemon.
The daemon compares them to a list of "known good commands", maybe makes
some other verifications, then goes ahead and executes the commands.
This way I retain the original tight policy, plus I get a supplemental
level of intelligence in validating what gets sent to the system via the
interface.

I dunno, this might be a method that would be interesting for more
people using selinux that want to keep selinux but still be able to have
a deeper control over the system.

> > I'd imagine that by exercising the daemon in all ways possible, and
> > keeping an eye on syslog at the same time, I should be able to figure
> > out what needs to be permitted in the policy, right?
> 
> Correct.

<sigh> I wish there was a concrete example somewhere on how to do that.
It's not like SELinux doesn't have any docs at all but... So many things
to do, so little time...

-- 
Florin Andrei

http://florin.myip.org/

More information about the fedora-selinux-list mailing list