1 |
On Wed, 2011-06-15 at 20:40 -0400, Anthony G. Basile wrote: |
2 |
> On 06/15/2011 01:45 PM, Sven Vermeulen wrote: |
3 |
> |
4 |
> > So... ideas? Do we want to "keep it simple" and update the apache policy to |
5 |
> > support nginx? Or do we want to stay "least privilege" and have dedicated |
6 |
> > rules for applications? |
7 |
> > |
8 |
> |
9 |
> I'm only slowly coming around to policy development, but from my selinux |
10 |
> days, I remember continuously tweaking towards least privilege. We |
11 |
> could start with a clone of the apache policies and start tweaking |
12 |
> those. Possibly submit upstream as long as we conform to their |
13 |
> development guidelines. |
14 |
> |
15 |
> I have some concern that lumping apache and nginx together may cause |
16 |
> tension between the needs of both packages. But seeing as I never used |
17 |
> nginx, my concern may be unfounded. |
18 |
> |
19 |
> Also, we don't have policies exclusively for lighttpd. Do you know how |
20 |
> that fits in? |
21 |
> |
22 |
|
23 |
I'm torn on this, but basically I think we ought to track upstream here. |
24 |
This is my thinking: |
25 |
|
26 |
As mentioned in the thread, nginx acts as a mail server, web server, and |
27 |
reverse proxy. The fact that Apache has the capability to function as |
28 |
an FTP server and forward and reverse proxy actually, to me, highlights |
29 |
a weakness in the apache policy as it sits today; the fact that it |
30 |
covers a lot of capabilities within the httpd_t domain. In other words, |
31 |
the apache policy, IMO, ought to restrict the httpd_t domain to clearly |
32 |
httpd-related actions. If there is a need for apache to perform |
33 |
ftpd-related things, then there should be a policy that defines a |
34 |
transition that allows apache to do that, but within the ftpd_t domain. |
35 |
|
36 |
Following that chain of reasoning then, would result in a similar policy |
37 |
set for nginx. The problem is, I'm not entirely certain the current |
38 |
SELinux architecture allows sufficient isolation and modularization to |
39 |
do that, nor am I certain that any of us possesses the domain-specific |
40 |
knowledge necessary to develop such a policy. |
41 |
|
42 |
Given the inherent (apparent) problems with doing it right, and the |
43 |
general argument for least privilege, coupled with our lack of |
44 |
resources, this is an enhancement that (IMO) should be tabled for the |
45 |
time being. |
46 |
|
47 |
Just my thoughts, and I am open to counter arguments. |
48 |
|
49 |
Later, |
50 |
Chris |