We intend to execute web-applications under the restrictive privileges (necessary minimum, if possible) to prevent system resources are unexpectedly accessed using buggy web-applications. The new MPM (security) spawns a one-time process for each connection, and it gives third-party modules a chance to assign individual privileges prior to invocation of content handlers. The existing MPM reuses a process or thread to handle multiple requests more than once. It gives us benefit from the perspective of performance, but it also gives us a headache issue. Some of enhanced security mechanism (such as SELinux) does not allow processes to revert its privileges, even if it is dynamically changed, so it means we cannot reuse a process which already handled a request at least. The mod_selinux is a proof of concept. It assigns individual security context (privileges in SELinux) based on the result of http-authentication, prior to the invocation of web-application but after the authentication. The MPM is implemented based on the prefork with a bit of hacks. - httpd-mpm_security-copied.090414.patch It is just a copy from prefork/ to security/. - httpd-mpm_security-modified.090414.patch It is a differences from the original prefork. - httpd-mod_selinux.090414.patch It is the implementation of mod_selinux module
Created attachment 23484 [details] Just a copy from prefork to security
Created attachment 23485 [details] Differences from the original prefork
Created attachment 23486 [details] A module to assign SELinux's security context
Any chance mod_selinux could assign privileges based on virtual-host, instead of (or in-addition to) http-authentication ? That would make it very interesting for for web-hosting, where you can give guest_t logins to your users, and only let them edit/see their own virtual-host's DocumentRoot both for ssh-sessjons and web-sessions.
(In reply to comment #4) > Any chance mod_selinux could assign privileges based on virtual-host, instead > of (or in-addition to) http-authentication ? The mod_selinux.so provide the following two configuration parameters: - selinuxConfigFile It specifies the filename which defines associations between http-authentication and domain/range of SELinux. - selinuxDefaultDomain It specifies the fallback domain/range of SELinux, when we have no configuration file or no matched entry. If you put only selinuxDefaultDomain within virtual host definition, it means we can assign a certain security context per virtual host. > That would make it very interesting for for web-hosting, where you can give > guest_t logins to your users, and only let them edit/see their own > virtual-host's DocumentRoot both for ssh-sessjons and web-sessions. I also think it is worthful and interesting use-case. (Needless to say, it also need some reworks for security policy.)
It can be achieved in another approach. See the mod_selinux.so at: http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus