[gentoo-hardened] SELinux policy for nginx, or include in apache?

[gentoo-hardened] SELinux policy for nginx, or include in apache?

[Sven Vermeulen]

Hi folks,

As per bug #368795 [1] we have an open request to include a SELinux policy
module for the nginx webserver. However, while working on this, I remembered
a small discussion that upstream had about the same matter [2]. It boils
down to the question: do we support nginx within the existing domains (the
apache SELinux module is generic enough to include support for other
webservers as shown by its current support for lighttpd) or do we use a new
module for this?

[1] https://bugs.gentoo.org/show_bug.cgi?id=368795
[2] http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html

The thread upstream didn't give a clear signal in my opinion here. On the
one hand was there a mail that said "we should have a specific nginx
module", but the reasoning behind it was countered. Yet the patch itself (to
include nginx support in apache module) isn't pushed to the repository.

Our current "policy" [3] here (what's in a name) has no clear answer on it.
We do say we want to track upstream as closely as possible (and make sure
that our customizations do not interfere with it) but that doesn't give a
signal in either direction.

[3] http://goo.gl/2U0Zr

My /personal/ vision here is that we eventually would need a
capability-based module ("webserver") with specific implementations that use
the interfaces/templates from the generic one for their specific
implementations ("nginx", "apache", ...) but _that_ does not work with the
current upstream implementation (or way of working).

So... ideas? Do we want to "keep it simple" and update the apache policy to
support nginx? Or do we want to stay "least privilege" and have dedicated
rules for applications?

Or do we see if we can deviate from upstream here and start our own path (in
my opinion, we can't as long as we do not have a critical developer mass -
in numbers, not in kilogram).

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1: Type: text/plain, Size: 265 bytes --]

El 15/06/11 19:45, Sven Vermeulen escribió:
> Or do we see if we can deviate from upstream here and start our own path (in
> my opinion, we can't as long as we do not have a critical developer mass -
> in numbers, not in kilogram).
Hey, I'm not that fat :P


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Anthony G. Basile]

On 06/15/2011 01:45 PM, Sven Vermeulen wrote:

> So... ideas? Do we want to "keep it simple" and update the apache policy to
> support nginx? Or do we want to stay "least privilege" and have dedicated
> rules for applications?
> 

I'm only slowly coming around to policy development, but from my selinux
days, I remember continuously tweaking towards least privilege.  We
could start with a clone of the apache policies and start tweaking
those.  Possibly submit upstream as long as we conform to their
development guidelines.

I have some concern that lumping apache and nginx together may cause
tension between the needs of both packages.  But seeing as I never used
nginx, my concern may be unfounded.

Also, we don't have policies exclusively for lighttpd.  Do you know how
that fits in?

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Chris Richards]

On Wed, 2011-06-15 at 20:40 -0400, Anthony G. Basile wrote:
> On 06/15/2011 01:45 PM, Sven Vermeulen wrote:
> 
> > So... ideas? Do we want to "keep it simple" and update the apache policy to
> > support nginx? Or do we want to stay "least privilege" and have dedicated
> > rules for applications?
> > 
> 
> I'm only slowly coming around to policy development, but from my selinux
> days, I remember continuously tweaking towards least privilege.  We
> could start with a clone of the apache policies and start tweaking
> those.  Possibly submit upstream as long as we conform to their
> development guidelines.
> 
> I have some concern that lumping apache and nginx together may cause
> tension between the needs of both packages.  But seeing as I never used
> nginx, my concern may be unfounded.
> 
> Also, we don't have policies exclusively for lighttpd.  Do you know how
> that fits in?
> 

I'm torn on this, but basically I think we ought to track upstream here.
This is my thinking:

As mentioned in the thread, nginx acts as a mail server, web server, and
reverse proxy.  The fact that Apache has the capability to function as
an FTP server and forward and reverse proxy actually, to me, highlights
a weakness in the apache policy as it sits today; the fact that it
covers a lot of capabilities within the httpd_t domain.  In other words,
the apache policy, IMO, ought to restrict the httpd_t domain to clearly
httpd-related actions.  If there is a need for apache to perform
ftpd-related things, then there should be a policy that defines a
transition that allows apache to do that, but within the ftpd_t domain.

Following that chain of reasoning then, would result in a similar policy
set for nginx.  The problem is, I'm not entirely certain the current
SELinux architecture allows sufficient isolation and modularization to
do that, nor am I certain that any of us possesses the domain-specific
knowledge necessary to develop such a policy.

Given the inherent (apparent) problems with doing it right, and the
general argument for least privilege, coupled with our lack of
resources, this is an enhancement that (IMO) should be tabled for the
time being.

Just my thoughts, and I am open to counter arguments.

Later,
Chris

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Sven Vermeulen]

On Wed, Jun 15, 2011 at 10:15:14PM -0500, Chris Richards wrote:
> I'm torn on this, but basically I think we ought to track upstream here.

Which is... ? ;-)

As I said, there's no clear consensus from within upstream.

But I notice most people aim for a specific nginx module, so that's what
we'll go to. I'll make the necessary preparations for it.

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Chris Richards]

On Sun, 2011-06-19 at 17:19 +0200, Sven Vermeulen wrote:
> On Wed, Jun 15, 2011 at 10:15:14PM -0500, Chris Richards wrote:
> > I'm torn on this, but basically I think we ought to track upstream here.
> 
> Which is... ? ;-)

Well, it looked to me like Christopher pretty much squashed the patch,
for reasons already discussed there.  For reasons that I've already
mentioned, my opinion is that we should steer clear of it, at least for
now.  Of course, that's just my opinion.  ;)

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Chris Richards]

On Sun, 2011-06-19 at 17:19 +0200, Sven Vermeulen wrote:
> On Wed, Jun 15, 2011 at 10:15:14PM -0500, Chris Richards wrote:
> > I'm torn on this, but basically I think we ought to track upstream here.
> 
> Which is... ? ;-)

Well, it looked to me like Christopher pretty much squashed the patch,
for reasons already discussed there.  For reasons that I've already
mentioned, my opinion is that we should steer clear of it, at least for
now.  Of course, that's just my opinion.  ;)

Later,
Gizmo

Re: [gentoo-hardened] SELinux policy for nginx, or include in apache?

[Sven Vermeulen]

On Wed, Jun 15, 2011 at 08:40:01PM -0400, Anthony G. Basile wrote:
[...]
> Also, we don't have policies exclusively for lighttpd.  Do you know how
> that fits in?

It's completely covered by sec-policy/selinux-apache. The httpd_t domain
works pretty well with lighttpd (running it here) and contains the necessary
file context definitions specific for lighttpd.

Wkr,
	Sven Vermeulen