And I wouldn't have it any other way.
SELinux compartmentalizes each piece of software and defines a "software firewall" -- if you will -- for what a given program can do, what files it can read, what directories it can write to, what level of network access it has, etc.
Where many people get frustrated with SELinux is when they stray afield of where the OS vendor's policies expected them to go. Running a web server on port 80 is normal. Running on on port 6000, not so much.
For EZproxy, there was no existing policy, so I had to write my own from scratch. I even found some interesting things along the way about EZproxy's memory handling that I had to put special exceptions in the policy to accommodate. I don't know if OCLC fixed the special exception case or not, but I gave them a heads-up about it; I suppose I should remove the exception and see if the server still blows up spectacularly without it.
Basic support was fairly direct, but with each EZproxy upgrade I have to revalidate the policies to ensure that they are still working.
Occasionally I have to tweak things due to OS vendor changes as well. Those generally only show up when I build a new policy; so far the existing policies have continued to work even when I can't build a new one because I did not update for the new vendor changes.
Lately I've been doing more advanced work, allowing librarians to manage their content via FTP into the EZproxy documentation directories.
It is worth it, though, because I know that should someone find a remote compromise for EZproxy, that the damage that they can do as the ezproxy user is limited not only by the system's file permissions, but also by their SELinux context.
For OCLC to be successful with adding a SELinux policy to EZproxy, though, they need to move away from the statically linked binary installer that you can install anywhere. They need to produce packages for each supported Linux variant so that the files will be installed into known places that the SELinux policies can reference.
No comments:
Post a Comment