Dear all , I have been trying to test and see how SELinux MLS works with Apache , this is what I did to test
*1) As we're aware if we start apache process as the default SELinux user (i.e: Just as root user) , it will obtain a security context which has all the range of sensitivities and categories (i.e : s0-s15 , C0-C1023) * [root@msc-ishara-system1 ~]# id -Z system_u:system_r:sshd_t:*s0-s15:c0.c1023* [root@msc-ishara-system1 ~]# ps auxZ | grep -i http system_u:system_r:sshd_t:*s0-s15:c0.c1023* root 29161 0.0 0.4 262888 9248 ? Ss 00:16 0:00 /usr/sbin/httpd system_u:system_r:sshd_t:*s0-s15:c0.c1023* apache 29164 0.0 0.2 262888 5264 ? S 00:16 0:00 /usr/sbin/httpd *2) Then what I did was stop apache and then Switch to a new SELinux role (s4-s5:c1,c2) and start Apache process as follows , apache will also get the same security contexts as the User ( s4-s5:c1,c2 ) * [root@msc-ishara-system1 ~]# newrole -l s4-s5:c1,c2 Password: [root@msc-ishara-system1 ~]# id -Z system_u:system_r:sshd_t: *s4-s5:c1,c2* [root@msc-ishara-system1 ~]# /etc/init.d/httpd start [root@msc-ishara-system1 ~]# ps auxZ | grep -i httpd system_u:system_r:sshd_t:*s4-s5:c1,c2* root 29220 0.0 0.4 262888 9244 ? Ss 00:18 0:00 /usr/sbin/httpd system_u:system_r:sshd_t:*s4-s5:c1,c2* apache 29223 0.0 0.2 262888 5264 ? S 00:18 0:00 /usr/sbin/httpd *3) And now I created a file 'info.php' under /var/www/html , and then i changed the security context of this file as follows * touch /var/www/html/info.php chcat s0:c3 /var/www/html/info.php *4) Now that we know the apache process is running in s4-s5:c1,c2 security context and the file /var/www/html/info.php has s0:c3 context , then apache process shouldn't be able to read the /var/www/html/info.php file as c3 isn't read into c1,c2 apache process according to the Bell Lapadula model which is the security policy in SELinux MLS , but however when i run a curl on the apache process , it produces an output (Which shows the php version and stuff) * *curl http://localhost/info.php <http://localhost/info.php>* !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html><head> <style type="text/css"> body {background-color: #ffffff; color: #000000;} body, td, th, h1, h2 {font-family: sans-serif;} pre {margin: 0px; font-family: monospace;} a:link {color: #000099; text-decoration: none; background-color: #ffffff;} a:hover {text-decoration: underline;} table {border-collapse: collapse;} .center {text-align: center;} 5) What i need to understand is am I testing this wrong ? When I run curl command I run it as the same user in which switched roles to (i.e : s4-s5:c1,c2) , so still c3 isn't read into c1,c2 . But I still get an output for the curl . What I am trying to achieve is show that Apache process will not be able to read the file /var/www/html/info.php according to the Bell Lapadula model , have i missed any step in here ? Awaiting your kind guidance and inputs . Thank you *Regards* *Mario Roshane Ishara Fernando*
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
