[Pulp-list] Pulp & SELinux

John Matthews jmatthew at redhat.com
Mon Aug 1 19:30:35 UTC 2011 


----- Original Message -----
> On 08/01/2011 07:51 AM, John Matthews wrote:
> > We've added SELinux rules for Pulp on Fedora and RHEL-6 (RHEL-5 is
> > not supported). The rules are deployed as part of the rpm.
> >
> > The SELinux rules for the pulp module exist at: selinux/pulp.te
> > We have a wiki page here that describes a process for updating the
> > rules: https://fedorahosted.org/pulp/wiki/SELinux
> >
> > If you see any issues please let me know.
> >
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pulp-list
> 
> Hi guys,
> Please take this as constructive feedback. I'd be happy to give
> pointers
> to guides/documents to help improve this - currently though I'm not
> happy with this, I have no warm fuzzies.
> 
> Good point - you can run pulp with SELinux enabled, so better than
> with
> it disabled.
> 
> Bad point - we have achieved this be choosing to weaken the default
> security policies shipped in RHEL 6.
> 
> Ugly points - reviewing:
> http://git.fedorahosted.org/git/?p=pulp.git;a=blob_plain;f=selinux/pulp.te;hb=HEAD
> - we give Apache the ability to execute anything within /tmp.
> - we give Apache the ability to delete its own log files.
> - we give Apache the ability to modify its own and anyone else's certs
> - we give Apache the ability to connect to any TCP socket/port rather
> than restrict to specific needed one.
> 
> So, I'm concerned - but glad we have taken these first steps. This
> initial policy should be one to build upon. With a firm understanding
> of
> what pulp is and what is does and where on the OS pulp needs to do
> things - you should and we need to start locking pulp down by code
> modifications and specific SELinux rules written for pulps needs.
> Likely
> command line tool(s) which are confined that pulp calls vs pulp as an
> apache process trying to read/write over the OS is needed. The
> knocking
> holes though walls put up by the SELinux policies which are in pulps
> way
> will just lead to someone looking for ways to exploit pulp down the
> road.
> 
> Regards,
> Cliff

Cliff,

Thank you for reviewing. This is my first attempt at SELinux rules, I am not surprised they can be improved :)

I would be most interested in working with you to learn how we can improve the rules.

More information about the Pulp-list mailing list