selinux list move reminder

2018-11-06 Thread Stephen Smalley 

Hi,

As a reminder, the selinux mailing list has moved to vger.kernel.org.
If you wish to continue following the list, please subscribe by sending 
a plaintext message containing "subscribe selinux" in the body to 
majord...@vger.kernel.org. Be advised that vger.kernel.org does not 
accept HTML email, so configure your mail clients accordingly.  If you 
have trouble subscribing, send an email to owner-selinux with a 
description of the problem, and if that fails too, let us know. Archives 
for the new list can be found at https://lore.kernel.org/selinux.


Thanks.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: SELinux MLS for Apache Process

2018-11-06 Thread Stephen Smalley 

On 11/6/18 9:33 AM, Ishara Fernando wrote:

Dear all ,

I have been trying to test and see how SELinux MLS works with Apache , 
this is what I did to test


*1) As we're aware if we start apache process as the default SELinux 
user (i.e: Just as root user) , it will obtain a security context which 
has all the range of sensitivities and categories (i.e : s0-s15 , 
C0-C1023) *


[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s0-s15:c0.c1023*

[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888 
9248 ? Ss   00:16   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888 
5264 ?   S    00:16   0:00 /usr/sbin/httpd



*2) Then what I did was stop apache and then Switch to a new SELinux 
role (s4-s5:c1,c2) and start Apache process as follows , apache will 
also get the same security contexts as the User ( s4-s5:c1,c2 ) *


[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s4-s5:c1,c2
*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0  0.4 262888  9244 
?    Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0  0.2 262888 5264 
?   S    00:18   0:00 /usr/sbin/httpd


*3) And now I created a file 'info.php' under /var/www/html , and then i 
changed the security context of this file as follows

*

touch  /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php

*4) Now that we know the apache process is running in s4-s5:c1,c2 
security context and the file /var/www/html/info.php has s0:c3 context , 
then apache process shouldn't be able to read the /var/www/html/info.php 
file as c3 isn't read into c1,c2 apache process according to the Bell 
Lapadula model which is the security policy in SELinux MLS , but however 
when i run a curl on the apache process , it produces an output (Which 
shows the php version and stuff)

*

*curl http://localhost/info.php*

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"DTD/xhtml1-transitional.dtd">

SELinux MLS for Apache Process

2018-11-06 Thread Ishara Fernando 
Dear all ,

I have been trying to test and see how SELinux MLS works with Apache , this
is what I did to test

*1) As we're aware if we start apache process as the default SELinux user
(i.e: Just as root user) , it will obtain a security context which has all
the range of sensitivities and categories (i.e : s0-s15 , C0-C1023) *

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:*s0-s15:c0.c1023*

[root@msc-ishara-system1 ~]# ps auxZ | grep -i http
system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0  0.4 262888 9248
? Ss   00:16   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0  0.2 262888
5264 ?   S00:16   0:00 /usr/sbin/httpd


*2) Then what I did was stop apache and then Switch to a new SELinux role
(s4-s5:c1,c2) and start Apache process as follows , apache will also get
the same security contexts as the User ( s4-s5:c1,c2 ) *

[root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2
Password:

[root@msc-ishara-system1 ~]# id -Z
system_u:system_r:sshd_t:
*s4-s5:c1,c2*
[root@msc-ishara-system1 ~]# /etc/init.d/httpd start


[root@msc-ishara-system1 ~]# ps auxZ  |  grep -i httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0  0.4 262888  9244
?Ss   00:18   0:00 /usr/sbin/httpd
system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0  0.2 262888 5264
?   S00:18   0:00 /usr/sbin/httpd


*3) And now I created a file 'info.php' under /var/www/html , and then i
changed the security context of this file as follows *

touch  /var/www/html/info.php
chcat s0:c3 /var/www/html/info.php


*4) Now that we know the apache process is running in s4-s5:c1,c2 security
context and the file /var/www/html/info.php has s0:c3 context , then apache
process shouldn't be able to read the /var/www/html/info.php file as c3
isn't read into c1,c2 apache process according to the Bell Lapadula model
which is the security policy in SELinux MLS , but however when i run a curl
on the apache process , it produces an output (Which shows the php version
and stuff) *

*curl  http://localhost/info.php *

!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">