Previous Entry Share Next Entry
SELinux and the New York Stock Exchange
One of my goals and the goals of upstream developers was to create SELinux in such a way that it could be used by more then just the military/Department of Defense.   Traditional Mandatory Access Control Systems were built around the concept of Multi Level Security where the data and process would run at different security levels: Confidential, Secret and TopSecret.  Most non DOD environments don't classify their employees or data in this way.  They are much more like to define their security goals around what a user or a process is designed to do. 

  • Apache is supposed to read these directories and connect to these ports. 
  • USER-X Should not be allowed to execute files in his home directory. 
  • The database should only be access through its unix domain socket.
All of these relationships can be described and written using type enforcement rules.  If I add a type/label to a process and a type/label to all files/objects on the system.  I then write rules on how the processes interact with the objects.  This is what SELinux does.  This is what type enforcement does.  

What is a process supposed to do? 

Allow the process to do this and nothing else.

In the case of a logged in user, you group all the processes together under a single type (guest_t).  And then you end up with all processes running as guest_t.  None of them can execute in the home directory, None can connect to the network, none can execute the setuid system call to become root. 

Often I give talks on SELinux and we get too deep into the internals of SELinux, I believe we need to bring it down to these simpler terms.

The beauty of this system is that it works for everyone from the highest levels of security in DOD environments down to the kiosk machine at your local library. 

Are non government entities starting to use SELinux?  You betch ya.

New York Stock Exchange

  • 1
Can SELinux finally protect user files with apache in multiuser environment?

In typical environment one user can use mod_php, mod_python, mod_whatever functionality to see files (which contain passwords) from other users web pages on the same server. Can selinux protect one user public_html files from another one in such case?

I know only one method - apparmor and different HATs for different vhosts, but this sucks because isn't upstream and has bunch of oponents due to various reasons. I would like to use selinux for that but... I can't.

Sorry, I don't believe so. SELinux is good at breaking security at the exec time but not within the same process. So apps like apache that use multiple threads, which can read one users passwd data cannot be prevented via SELinux. AppArmour as you said does attempt to prevent this via changing the context within threads. SELinux theoretically could do this using the setexec call, but no one has done it yet. If some enterprising masters student was looking for a project to do, this might be a good idea to try. Make apache SELinux aware.

  • 1

Log in