On Wed, 2011-06-15 at 20:40 -0400, Anthony G. Basile wrote: > On 06/15/2011 01:45 PM, Sven Vermeulen wrote: > > > So... ideas? Do we want to "keep it simple" and update the apache policy to > > support nginx? Or do we want to stay "least privilege" and have dedicated > > rules for applications? > > > > I'm only slowly coming around to policy development, but from my selinux > days, I remember continuously tweaking towards least privilege. We > could start with a clone of the apache policies and start tweaking > those. Possibly submit upstream as long as we conform to their > development guidelines. > > I have some concern that lumping apache and nginx together may cause > tension between the needs of both packages. But seeing as I never used > nginx, my concern may be unfounded. > > Also, we don't have policies exclusively for lighttpd. Do you know how > that fits in? >
I'm torn on this, but basically I think we ought to track upstream here. This is my thinking: As mentioned in the thread, nginx acts as a mail server, web server, and reverse proxy. The fact that Apache has the capability to function as an FTP server and forward and reverse proxy actually, to me, highlights a weakness in the apache policy as it sits today; the fact that it covers a lot of capabilities within the httpd_t domain. In other words, the apache policy, IMO, ought to restrict the httpd_t domain to clearly httpd-related actions. If there is a need for apache to perform ftpd-related things, then there should be a policy that defines a transition that allows apache to do that, but within the ftpd_t domain. Following that chain of reasoning then, would result in a similar policy set for nginx. The problem is, I'm not entirely certain the current SELinux architecture allows sufficient isolation and modularization to do that, nor am I certain that any of us possesses the domain-specific knowledge necessary to develop such a policy. Given the inherent (apparent) problems with doing it right, and the general argument for least privilege, coupled with our lack of resources, this is an enhancement that (IMO) should be tabled for the time being. Just my thoughts, and I am open to counter arguments. Later, Chris
