On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.
Since last meeting, the follow topics passed the revue.
- sec-policy/selinux-base-policy, which is the “master” of our SELinux policies and contains those SELinux modules that are somewhat indivisible (hence the name, “base”), is now at revision 8. I tend to describe the changes on the gentoo-hardened mailinglist, and this is not different for rev 8. I haven’t stabilized the rev 6 one yet although I promised too, I’ll try to find some time to do that this evening.
- We had a regression with newrole for some time. Luckily, Jory “Anarchy” Pratt found the issue. Drop the setuid bit from the binary, and the application works again as it should. This will be included in the next policycoreutils bump.
-
The last available sudo package now builds with native SELinux support as well, which allows users to add ROLE= and TYPE= information in the
sudoersfile. As such, users do not need to call newrole when they need to transition to a specific role for just a single command – sudo can now take care of that. -
The older
selinux/v2refpolicy/*profiles have been deprecated. If you want to use a SELinux-enabled profile, you need to use a profile that ends with/selinux, such asdefault/linux/amd64/10.0/selinuxorhardened/linux/amd64/selinux. Of course we prefer you to use a hardened profile ;-) -
Documentation-wise,
- the Gentoo Hardened SELinux Handbook has been updated to reflect the profile changes
- the SELinux bugreporting guide has been put online to inform users what kind of information is needed for us to fix issues or denials that they might see
- the SELinux FAQ has been updated with the questions Applications do not transition on a nosuid partition and Why do I always need to re-authenticate when operating init scripts?.
That’s about it. Not a too busy month but progress anyhow.
I have been reading the Gentoo Hardened SELinux Handbook and was wondering if apache could support selinux for web application?
The reason I ask is because I support a web application in php for a client which had many attack and I had to make the directory of the web application read only for all to close all the holes in the web application. I also program in mono’s asp.net and would like to secure my application too.
Thanks
Alain
There is a SELinux support module for Apache (with which I mean a module that Apache can call so that it offers a fainer-grained approach on isolation than within a “generic” httpd_t domain). You can find some information on it at http://selinuxproject.org/page/NB_Apache and the links therein. That said, I don’t have any experience with that just yet.
SELinux itself does already provide a domain for Apache (it is called “httpd_t”) which isolates Apache (and the applications running inside) so that an exploit should not reach further than the application itself.