Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: New SuSE rules Date: Thu, 1 Aug 2002 08:59:14 +0200
My new rule set for SuSE can be found under
http://www.carstengrohmann.de/download/selinux/.
This include additional rules for the getty_t, so that runs now fine with
the suse mingetty.
Please mail me any comments, if it works fine, if there problems .... Carsten -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: New SuSE rules Date: Thu, 1 Aug 2002 17:13:51 +0200
Firstly try and avoid using file_type and domain if possible. I really doubt that getty needs to be able to read everything under /proc/[0-9]* and stat every file or device on the file system. I guess that it's doing some type of "lsof" operation, so some dontaudit would be in order. What is /dev/blog? It's not in Documentation/devices.txt in the kernel source...
> # Allow access to modules_object_t (lib/modules) Why does initrc_t need to remove files from /lib/modules? Perhaps a domain transition to update_modules_t is what you need...
> # Access to file_t (/opt) You should never grant anything access to file_t. The existance of file_t labelled objects indicates a deficiency in yout file_contexts.
> # Access to /dev/xconsole We need a better type for that pipe.
> # Access to /dev/tty10 Do you realise that anyone can kill the machine by pressing ^S on VC 10?
> file_type_auto_trans(ntpd_t, etc_t, etc_ntp_t) Why does ntpd need to create files under /etc? Must be a deficiency in the package.
> allow ntpd_t console_device_t:chr_file { read write };
My Debian package has the following patch to macros/global_macros.te to
address that:
> # Access to /proc/sys/kernel That's in my Debian package.
> # Access to /var That's in the daemon_domain macro, it should have worked without that. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theFrom: Carsten Grohmann <carstengrohmann_at_gmx.de> subject: Re: New SuSE rules Date: Thu, 1 Aug 2002 20:22:42 +0200
It's a problem with SuSE's mingetty. It reads all or the most /proc/<PID> directories and all files in /var/log. So I have to add this rules. I wrote to SuSE to change the mingetty program. On the other side, you can use Red Hat's mingetty, with runs fine without this additional rules.
> I guess that it's doing some type of "lsof" operation, so some dontaudit It is not possible to deny this operations, because mingetty will not work correct.
> What is /dev/blog? It's not in Documentation/devices.txt in the kernel The blod daemon is an part of the SuSE boot concept.
> > # Allow access to modules_object_t (lib/modules) I can not change the domain, because the boot script (/etc/init.d/boot) remove /lib/modules/'uname -r'/modules.dep. I see not a possibility to do a domain transition for this -- it is a shell script with an rm in it.
> > # Access to file_t (/opt) The NSA distribution have not a type for /opt. Next days I will send a patch to correct this.
> > # Access to /dev/xconsole Done. I label it as devlog_t.
> > # Access to /dev/tty10 No this was me unknown. Could it be that this problem not selinux specific? I don't no any solution. Have you disabled the log messages on tty10?
> > file_type_auto_trans(ntpd_t, etc_t, etc_ntp_t) On SuSE: Under /etc are the ntpd configuration file and ntp.dift. Thanks for your comment Carsten -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: New SuSE rules Date: Thu, 1 Aug 2002 21:56:18 +0200
Just because a program tries something does not mean that it needs to do it. For example I have added many dontaudit rules for sysadm_home_dir_t (sysadm_home_t for the NSA policy) because of daemons that try to access files or directories under /root and have no need to do so. Any domain that runs "ps" will request access to all of /proc/[0-9]*. The only domain that needs such access is sysadm_t to allow the administrator to see what's running. There is no way that mingetty could require access to ps data on all domains, it may require access to all userdomain, but definately not domain! Why should a getty know anything about a dhcp server, BIND, or a mail server?
> to SuSE to change the mingetty program. On the other side, you can use Red Can you email me the source and binary of this SuSe mingetty, I'll look into it and determine what it really needs (or how to fix it).
> > I guess that it's doing some type of "lsof" operation, so some dontaudit How does it fail?
> > What is /dev/blog? It's not in Documentation/devices.txt in the kernel How does it work? What does it do?
> > > # Allow access to modules_object_t (lib/modules) Why not just have your rpm package of SE Linux replace that shell script with another one that does it differently? Surely RPM has some equivalent to the diversion mechanism I use in some of my Debian packages...
> > > # Access to file_t (/opt) I suggest making opt root_t as it's likely to be the root of a different file system (and it's not something you'll restrict access to unless you're restricting access to the root directory). Then have rules labelling /opt/.*/bin(|/.*) bin_t, etc.
> > > # Access to /dev/xconsole I'm not sure if that's a good idea. The sock_file vs fifo_file distinction will allow you to suitably lock it down, but there may be confusion among administrators as to what to do.
> > > # Access to /dev/tty10 It's not a SE Linux issue. I noticed the problem years ago on Debian and AFAIK all distributions have always had it. I just don't enable logging to a VC unless you have a moderate amount of trust that the local users aren't malicious or careless enough to do it. If you press ^S the write buffers eventually fill up, syslogd stops accepting logs, and then everything that tries to log will not work. Logging in does an log write and therefore you can't login to a machine in such a state.
> > > file_type_auto_trans(ntpd_t, etc_t, etc_ntp_t) They should change it to be under /var/lib. /etc is for configuration files not for data files that are always changing. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theFrom: Carsten Grohmann <carstengrohmann_at_gmx.de> subject: Re: New SuSE rules -- opt file type Date: Fri, 2 Aug 2002 13:20:36 +0200
Why root_t?
Carsten -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: New SuSE rules -- opt file type Date: Fri, 2 Aug 2002 13:33:56 +0200
In what way is my explanation in the preceeding paragraph unclear?
> The standard policy labled follow directories as file_t: What is "swap" directory? Nothing should have type file_t on a properly configured system. Any existance of file_t indicates inadequacies in the file_contexts.
> This entries should be not labelling in the same type. If several file In what situation might you want to grant access to / but not /opt? In what situation might you want to grant access to /opt but not /? -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |