qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Kramer <j...@globalherald.net>
Subject RE: Extending ACL's with SE-QPid
Date Tue, 10 Feb 2009 17:06:15 GMT
Hello,

A while back (Oct 21st of 2008) Carl and I briefly discussed modifying 
ACL.cpp to read SELinux contexts instead of the ACL files.  Has anyone 
given this any light?  If not I'll whip up a prototype to see how the 
two work together.

Thanks,
-Josh

In October 2008 Joshua Kramer wrote:

Hello All,

Here's an off the wall idea. Are there any use cases for making QPid a 
part of the SELinux ecosystem?

There is currently a project called SE-Postgres. SE-Postgres allows one 
to restrict access to rows, columns, and other database features based 
on the SELinux restrictions assigned to the connected user.

Might we want to restrict access to QPid resources in the same way?

Cheers, -Josh

Josh,

I know the guys at freeIPA.org have discussed with me to take Qpid as a 
dependency, and integrate the policy management. This would mean that 
both Qpid and SELinux could be administered by the same policy server.

However I think you are thinking to maybe also have the ACL module get 
it's asserts from SELinux. I believe that be quite easy and should be 
quite quick to prototype and see if it has legs.

In cpp/src/qpid/acl you will find a plugin that implements AclModule.h 
from the qpid/broker directory.

Basically you can copy & rename the acl directory SE-QpidAcl and 
re-implement the following two functions to calls in Acl.cpp the SELinux 
policy tests. SELinux asserts are complied policies so VERY,VERY fast.

I have marked with comments the two lines that would need to change to 
call to SELinux + you will have to disconnect the file loading (not a 
big deal to do)

virtual bool authorise(const std::string& id, const Action& action, 
const ObjectType& objType, const std::string& name, std::map<Property, 
std::string>* params=0); virtual bool authorise(const std::string& id, 
const Action& action, const ObjectType& objType, const std::string& 
ExchangeName,const std::string& RoutingKey);

bool Acl::authorise(const std::string& id, const Action& action, const 
ObjectType& objType, const std::string& name, std::map<Property, 
std::string>* params) { if (!aclValues.enforce) return true; 
boost::shared_ptr<AclData> dataLocal = data; //rcu copy

// ------------- Call SELinux rather than the loaded file data

---------------------------- AclResult aclreslt = 
dataLocal->lookup(id,action,objType,name,params);

return result(aclreslt, id, action, objType, name); }

bool Acl::authorise(const std::string& id, const Action& action, const 
ObjectType& objType, const std::string& ExchangeName, const std::string& 
RoutingKey) { if (!aclValues.enforce) return true; 
boost::shared_ptr<AclData> dataLocal = data; //rcu copy

// ------------- Call SELinux rather than the loaded file data

---------------------------- AclResult aclreslt = 
dataLocal->lookup(id,action,objType,ExchangeName,RoutingKey);

return result(aclreslt, id, action, objType, ExchangeName); }

Let me know if you need any help, and am very interested in the idea

Carl.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message