You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by Joshua Kramer <jo...@globalherald.net> on 2008/10/21 16:20:06 UTC

Extending ACL's with SE-QPid

Hello All,

Here's an off the wall idea.  Are there any use cases for making QPid a 
part of the SELinux ecosystem?

There is currently a project called SE-Postgres.  SE-Postgres allows one 
to restrict access to rows, columns, and other database features based on 
the SELinux restrictions assigned to the connected user.

Might we want to restrict access to QPid resources in the same way?

Cheers,
-Josh

-- 

-----
http://www.globalherald.net/jb01
GlobalHerald.NET, the Smarter Social Network! (tm)

Re: Extending ACL's with SE-QPid

Posted by Carl Trieloff <cc...@redhat.com>.

Joshua Kramer wrote:
>
> Hello All,
>
> Here's an off the wall idea.  Are there any use cases for making QPid 
> a part of the SELinux ecosystem?
>
> There is currently a project called SE-Postgres.  SE-Postgres allows 
> one to restrict access to rows, columns, and other database features 
> based on the SELinux restrictions assigned to the connected user.
>
> Might we want to restrict access to QPid resources in the same way?
>
> Cheers,
> -Josh
>

Josh,

I know the guys at freeIPA.org have discussed with me to take Qpid as a 
dependency, and integrate the policy management. This would mean
that both Qpid and SELinux could be administered by the same policy server.

However I think you are thinking to maybe also have the ACL module get 
it's asserts from SELinux. I believe that be quite easy and should
be quite quick to prototype and see if it has legs.

In cpp/src/qpid/acl  you will find a plugin that implements AclModule.h 
from the qpid/broker directory.  

Basically you can copy & rename the acl directory SE-QpidAcl and 
re-implement the following two functions to calls in Acl.cpp the SELinux 
policy tests. SELinux asserts are complied
policies so VERY,VERY fast.


I have marked with comments the two lines that would need to change to 
call to SELinux + you will have to disconnect the file loading (not a 
big deal to do)



   virtual bool authorise(const std::string& id, const Action& action, 
const ObjectType& objType, const std::string& name, std::map<Property, 
std::string>* params=0);
   virtual bool authorise(const std::string& id, const Action& action, 
const ObjectType& objType, const std::string& ExchangeName,const 
std::string& RoutingKey);


   bool Acl::authorise(const std::string& id, const Action& action, 
const ObjectType& objType, const std::string& name, std::map<Property, 
std::string>* params)
   {
      if (!aclValues.enforce) return true;
      boost::shared_ptr<AclData> dataLocal = data;  //rcu copy
     
      // -------------   Call SELinux rather than the loaded file data 
----------------------------
      AclResult aclreslt = dataLocal->lookup(id,action,objType,name,params);
     
     
      return result(aclreslt, id, action, objType, name);
   }

   bool Acl::authorise(const std::string& id, const Action& action, 
const ObjectType& objType, const std::string& ExchangeName, const 
std::string& RoutingKey)
   {
      if (!aclValues.enforce) return true;
      boost::shared_ptr<AclData> dataLocal = data;  //rcu copy
     
      // -------------   Call SELinux rather than the loaded file data 
----------------------------
      AclResult aclreslt = 
dataLocal->lookup(id,action,objType,ExchangeName,RoutingKey); 
     
      return result(aclreslt, id, action, objType, ExchangeName);
   }



Let me know if you need any help, and am very interested in the idea

Carl.