qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Trieloff <cctriel...@redhat.com>
Subject Re: Access management with QPid
Date Wed, 18 Feb 2009 18:53:30 GMT

Josh,

I have copied Dan, I can comment on the ACL side for Qpid... ... I'll 
leave the SELinux side to Dan.

Carl.


Joshua Kramer wrote:
>
> Hey, that'd be great! I may also post to the SELinux mailing list. 
> After looking over the SELinux documentation and some other resources, 
> here's what I've found.
>
> There are a couple of ways we can go about this. The first way, is to 
> use pseudo-contexts to load ACL's stored in SELinux into QPid ACL's. 
> (Here, 'context' means a SELinux context.) To accomplish access 
> control in this manner, we need to do the following:
>
> 1. Create some pseudo-contexts representing QPid objects (things like 
> queues, exchanges, etc.)
> 2. Go to a file on the filesystem and read in text-based user names.
> 3. For each name, compute the target contexts that it is allowed to 
> access... and convert those into QPid ACL's.
>
> I do not think there is a way to call SELinux and ask it, "give me a 
> list of all the users in the QPid Type, and the things they can 
> access..." But I may be mistaken. There are some third-party SELinux 
> tools for which the source is accessible, so I may peruse those tools.
>
> The second way in which we can integrate SELinux into QPid is a bit 
> more complicated. Instead of using the built-in ACL's, we can go into 
> the data structures holding the various QPid objects (queues, 
> exchanges, etc.) and add elements for SELinux security contexts to 
> each object. We would then place calls to security_compute_av before 
> each call that manupulates an object, to determine if that particular 
> operation was permitted.
>
> The second way requires more work because it would be tightly woven 
> into many different parts of the broker. The first way is less work 
> because it merely implements an ACL plugin on top of SELinux.
>
> So, this is becomes a philosophical discussion. Should we implement 
> QPid ACL's on top of SELinux, or implement SELinux in the broker itself?
>
> Cheers,
> -Josh
>
> On Wed, 18 Feb 2009, Carl Trieloff wrote:
>
>> Date: Wed, 18 Feb 2009 12:51:01 -0500
>> From: Carl Trieloff <cctrieloff@redhat.com>
>> To: Joshua Kramer <josh@globalherald.net>
>> Cc: dev@qpid.apache.org, users@qpid.apache.org
>> Subject: Re: Access management with QPid
>>
>> Joshua Kramer wrote:
>>>
>>>> remote interfaces for ACL. Cross
>>>> posting to the dev list, as I don't remember who was prototyping/ 
>>>> implementing this.
>>>
>>> I am playing with pulling the ACL information from SELinux. 
>>> Currently, I'm determining the best SELinux method to use to get the 
>>> ACL's we need.
>>>
>>> Cheers,
>>> -Josh
>>>
>> If you think you know what to do I can forward your ideas to someone 
>> on the SELinux team if you want comment. Some of the guys on SELinux 
>> sit one floor below me ;-)
>>
>


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message