[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] Pulp & SELinux

On 08/01/2011 07:51 AM, John Matthews wrote:
We've added SELinux rules for Pulp on Fedora and RHEL-6 (RHEL-5 is not supported).  The rules are deployed as part of the rpm.

The SELinux rules for the pulp module exist at: selinux/pulp.te
We have a wiki page here that describes a process for updating the rules: https://fedorahosted.org/pulp/wiki/SELinux

If you see any issues please let me know.

Pulp-list mailing list
Pulp-list redhat com

Hi guys,
Please take this as constructive feedback. I'd be happy to give pointers to guides/documents to help improve this - currently though I'm not happy with this, I have no warm fuzzies.

Good point - you can run pulp with SELinux enabled, so better than with it disabled.

Bad point - we have achieved this be choosing to weaken the default security policies shipped in RHEL 6.

Ugly points - reviewing:
 - we give Apache the ability to execute anything within /tmp.
 - we give Apache the ability to delete its own log files.
 - we give Apache the ability to modify its own and anyone else's certs
- we give Apache the ability to connect to any TCP socket/port rather than restrict to specific needed one.

So, I'm concerned - but glad we have taken these first steps. This initial policy should be one to build upon. With a firm understanding of what pulp is and what is does and where on the OS pulp needs to do things - you should and we need to start locking pulp down by code modifications and specific SELinux rules written for pulps needs. Likely command line tool(s) which are confined that pulp calls vs pulp as an apache process trying to read/write over the OS is needed. The knocking holes though walls put up by the SELinux policies which are in pulps way will just lead to someone looking for ways to exploit pulp down the road.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]