Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: New SuSE rules
From: Russell Coker <russell_at_coker.com.au>
Date: Thu, 1 Aug 2002 21:56:18 +0200
Just because a program tries something does not mean that it needs to do it. For example I have added many dontaudit rules for sysadm_home_dir_t (sysadm_home_t for the NSA policy) because of daemons that try to access files or directories under /root and have no need to do so. Any domain that runs "ps" will request access to all of /proc/[0-9]*. The only domain that needs such access is sysadm_t to allow the administrator to see what's running. There is no way that mingetty could require access to ps data on all domains, it may require access to all userdomain, but definately not domain! Why should a getty know anything about a dhcp server, BIND, or a mail server?
> to SuSE to change the mingetty program. On the other side, you can use Red Can you email me the source and binary of this SuSe mingetty, I'll look into it and determine what it really needs (or how to fix it).
> > I guess that it's doing some type of "lsof" operation, so some dontaudit How does it fail?
> > What is /dev/blog? It's not in Documentation/devices.txt in the kernel How does it work? What does it do?
> > > # Allow access to modules_object_t (lib/modules) Why not just have your rpm package of SE Linux replace that shell script with another one that does it differently? Surely RPM has some equivalent to the diversion mechanism I use in some of my Debian packages...
> > > # Access to file_t (/opt) I suggest making opt root_t as it's likely to be the root of a different file system (and it's not something you'll restrict access to unless you're restricting access to the root directory). Then have rules labelling /opt/.*/bin(|/.*) bin_t, etc.
> > > # Access to /dev/xconsole I'm not sure if that's a good idea. The sock_file vs fifo_file distinction will allow you to suitably lock it down, but there may be confusion among administrators as to what to do.
> > > # Access to /dev/tty10 It's not a SE Linux issue. I noticed the problem years ago on Debian and AFAIK all distributions have always had it. I just don't enable logging to a VC unless you have a moderate amount of trust that the local users aren't malicious or careless enough to do it. If you press ^S the write buffers eventually fill up, syslogd stops accepting logs, and then everything that tries to log will not work. Logging in does an log write and therefore you can't login to a machine in such a state.
> > > file_type_auto_trans(ntpd_t, etc_t, etc_ntp_t) They should change it to be under /var/lib. /etc is for configuration files not for data files that are always changing. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theReceived on Thu 1 Aug 2002 - 16:12:26 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |