| 1 |
On Wed, 2011-06-15 at 20:40 -0400, Anthony G. Basile wrote: |
| 2 |
> On 06/15/2011 01:45 PM, Sven Vermeulen wrote: |
| 3 |
> |
| 4 |
> > So... ideas? Do we want to "keep it simple" and update the apache policy to |
| 5 |
> > support nginx? Or do we want to stay "least privilege" and have dedicated |
| 6 |
> > rules for applications? |
| 7 |
> > |
| 8 |
> |
| 9 |
> I'm only slowly coming around to policy development, but from my selinux |
| 10 |
> days, I remember continuously tweaking towards least privilege. We |
| 11 |
> could start with a clone of the apache policies and start tweaking |
| 12 |
> those. Possibly submit upstream as long as we conform to their |
| 13 |
> development guidelines. |
| 14 |
> |
| 15 |
> I have some concern that lumping apache and nginx together may cause |
| 16 |
> tension between the needs of both packages. But seeing as I never used |
| 17 |
> nginx, my concern may be unfounded. |
| 18 |
> |
| 19 |
> Also, we don't have policies exclusively for lighttpd. Do you know how |
| 20 |
> that fits in? |
| 21 |
> |
| 22 |
|
| 23 |
I'm torn on this, but basically I think we ought to track upstream here. |
| 24 |
This is my thinking: |
| 25 |
|
| 26 |
As mentioned in the thread, nginx acts as a mail server, web server, and |
| 27 |
reverse proxy. The fact that Apache has the capability to function as |
| 28 |
an FTP server and forward and reverse proxy actually, to me, highlights |
| 29 |
a weakness in the apache policy as it sits today; the fact that it |
| 30 |
covers a lot of capabilities within the httpd_t domain. In other words, |
| 31 |
the apache policy, IMO, ought to restrict the httpd_t domain to clearly |
| 32 |
httpd-related actions. If there is a need for apache to perform |
| 33 |
ftpd-related things, then there should be a policy that defines a |
| 34 |
transition that allows apache to do that, but within the ftpd_t domain. |
| 35 |
|
| 36 |
Following that chain of reasoning then, would result in a similar policy |
| 37 |
set for nginx. The problem is, I'm not entirely certain the current |
| 38 |
SELinux architecture allows sufficient isolation and modularization to |
| 39 |
do that, nor am I certain that any of us possesses the domain-specific |
| 40 |
knowledge necessary to develop such a policy. |
| 41 |
|
| 42 |
Given the inherent (apparent) problems with doing it right, and the |
| 43 |
general argument for least privilege, coupled with our lack of |
| 44 |
resources, this is an enhancement that (IMO) should be tabled for the |
| 45 |
time being. |
| 46 |
|
| 47 |
Just my thoughts, and I am open to counter arguments. |
| 48 |
|
| 49 |
Later, |
| 50 |
Chris |
Archives