From: Chris Richards <gizmo@giz-works.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?
Date: Wed, 15 Jun 2011 22:15:14 -0500 [thread overview]
Message-ID: <1308194116.2141.21.camel@chris.localhost> (raw)
In-Reply-To: <4DF950E1.9090104@gentoo.org>
On Wed, 2011-06-15 at 20:40 -0400, Anthony G. Basile wrote:
> On 06/15/2011 01:45 PM, Sven Vermeulen wrote:
>
> > So... ideas? Do we want to "keep it simple" and update the apache policy to
> > support nginx? Or do we want to stay "least privilege" and have dedicated
> > rules for applications?
> >
>
> I'm only slowly coming around to policy development, but from my selinux
> days, I remember continuously tweaking towards least privilege. We
> could start with a clone of the apache policies and start tweaking
> those. Possibly submit upstream as long as we conform to their
> development guidelines.
>
> I have some concern that lumping apache and nginx together may cause
> tension between the needs of both packages. But seeing as I never used
> nginx, my concern may be unfounded.
>
> Also, we don't have policies exclusively for lighttpd. Do you know how
> that fits in?
>
I'm torn on this, but basically I think we ought to track upstream here.
This is my thinking:
As mentioned in the thread, nginx acts as a mail server, web server, and
reverse proxy. The fact that Apache has the capability to function as
an FTP server and forward and reverse proxy actually, to me, highlights
a weakness in the apache policy as it sits today; the fact that it
covers a lot of capabilities within the httpd_t domain. In other words,
the apache policy, IMO, ought to restrict the httpd_t domain to clearly
httpd-related actions. If there is a need for apache to perform
ftpd-related things, then there should be a policy that defines a
transition that allows apache to do that, but within the ftpd_t domain.
Following that chain of reasoning then, would result in a similar policy
set for nginx. The problem is, I'm not entirely certain the current
SELinux architecture allows sufficient isolation and modularization to
do that, nor am I certain that any of us possesses the domain-specific
knowledge necessary to develop such a policy.
Given the inherent (apparent) problems with doing it right, and the
general argument for least privilege, coupled with our lack of
resources, this is an enhancement that (IMO) should be tabled for the
time being.
Just my thoughts, and I am open to counter arguments.
Later,
Chris
next prev parent reply other threads:[~2011-06-16 3:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-15 17:45 [gentoo-hardened] SELinux policy for nginx, or include in apache? Sven Vermeulen
2011-06-15 20:08 ` Francisco Blas Izquierdo Riera (klondike)
2011-06-16 0:40 ` Anthony G. Basile
2011-06-16 3:15 ` Chris Richards [this message]
2011-06-19 15:19 ` Sven Vermeulen
2011-06-21 21:27 ` Chris Richards
2011-06-21 21:27 ` Chris Richards
2011-06-19 15:15 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1308194116.2141.21.camel@chris.localhost \
--to=gizmo@giz-works.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox