FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 06-22-2012, 06:40 PM
Les Mikesell
 
Default reinventing the wheel? page checker

On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob@bobhoffman.com> wrote:
>>
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.

No, selinux doesn't give 'extra' privileges to anything. It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.

> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.

Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers... You can't just drop it in on top of
stuff that has evolved organically for years.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-22-2012, 06:58 PM
Nikolaos Milas
 
Default reinventing the wheel? page checker

On 22/6/2012 9:28 μμ, Bob Hoffman wrote:

> it seems like it requires an experienced hand at it. Or a book.

Some googling took me to:
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html

It seems interesting and comprehensive from a quick browsing. And it's
public domain too.

Yet, I agree that SElinux is a pain. There are other measures to keep
things under control. Unless you know what you are doing with it,
selinux is going to produce trouble and only trouble.

That's my experience.

(I don't know if I'll ever find the significant time needed to invest in
knowing selinux well enough to use it in production.)

Nick


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-22-2012, 08:38 PM
 
Default reinventing the wheel? page checker

Bob Hoffman wrote:
> On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
>> Bob Hoffman wrote:
>>> On 6/21/2012 12:44 PM, Keith Roberts wrote:
>>>> On Thu, 21 Jun 2012, Bob Hoffman wrote:
>>>>> From: Bob Hoffman<bob@bobhoffman.com>
>>>>>
<snip>
>> Another thing to consider (and I really, really don't enjoy suggesting
>> it), is selinux. Turn it on to at least permissive, and it'll bitch and
>> moan if something's changed. Turn it to enforcing, and *nothing* will be
>> allowed to be changed. It is, however, a royal pain to configure, esp.
>> when you want to be able to allow a directory for users to put pics.
>>
> Would love to use SElinux. I searched high and low for any kind of
> manual and there was none.

Look for RHEL's 5 or 6; there's professional documentation.

Not that anything's that wonderful.

There's also the selinux list.
<snip>
> One thing I learned...SElinux in permissive mode only gives a warning
> once for an issue...and never again. Makes it hard
> to play with it that way, would prefer a constant error variable to keep
> them coming.

Not true. It will issue an AVC every time something tries to happen. Big
things to know:
a) ll -Z shows you the selinux context
b) chcon [-R] -[urt] <whatever> <file or directory>
c) getsebool and setsebool

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-23-2012, 10:16 AM
Daniel J Walsh
 
Default reinventing the wheel? page checker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/22/2012 04:38 PM, m.roth@5-cent.us wrote:
> Bob Hoffman wrote:
>> On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
>>> Bob Hoffman wrote:
>>>> On 6/21/2012 12:44 PM, Keith Roberts wrote:
>>>>> On Thu, 21 Jun 2012, Bob Hoffman wrote:
>>>>>> From: Bob Hoffman<bob@bobhoffman.com>
>>>>>>
> <snip>
>>> Another thing to consider (and I really, really don't enjoy suggesting
>>> it), is selinux. Turn it on to at least permissive, and it'll bitch
>>> and moan if something's changed. Turn it to enforcing, and *nothing*
>>> will be allowed to be changed. It is, however, a royal pain to
>>> configure, esp. when you want to be able to allow a directory for users
>>> to put pics.
>>>
>> Would love to use SElinux. I searched high and low for any kind of manual
>> and there was none.
>
> Look for RHEL's 5 or 6; there's professional documentation.
>
> Not that anything's that wonderful.
>
> There's also the selinux list. <snip>
>> One thing I learned...SElinux in permissive mode only gives a warning
>> once for an issue...and never again. Makes it hard to play with it that
>> way, would prefer a constant error variable to keep them coming.
>
> Not true. It will issue an AVC every time something tries to happen. Big
> things to know: a) ll -Z shows you the selinux context b) chcon [-R] -[urt]
> <whatever> <file or directory> c) getsebool and setsebool
>
> mark
>
> _______________________________________________ CentOS mailing list
> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
>
If you are having problems with SELinux just send an email to me or mention it
on the list. There is also pretty good help available on #freenode.

Permissive AVC's are only reported once. You can read this blog for more info.

http://danwalsh.livejournal.com/10972.html

Other blogs you might be interested in:

http://danwalsh.livejournal.com/24537.html
http://danwalsh.livejournal.com/42394.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/ll3sACgkQrlYvE4MpobMONQCg1bJjksI6lr12DWZ1DKVMewmR
R9YAoOEffTsfzy7vtaSOCqGHfXcSeFhK
=pZFf
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-25-2012, 11:52 AM
"James B. Byrne"
 
Default reinventing the wheel? page checker

On Fri, June 22, 2012 16:38, m.roth@5-cent.us wrote:

>
> Not true. It will issue an AVC every time something tries to happen.
> Big things to know:
> a) ll -Z shows you the selinux context
> b) chcon [-R] -[urt] <whatever> <file or directory>
> c) getsebool and setsebool
>
> mark

If you are working with SELinux issues then the following are most
helpful to have installed:

setools-libs.x86_64 3.3.7-4.el6
setools-libs-python.x86_64 3.3.7-4.el6
setroubleshoot-plugins.noarch 3.0.16-1.el6
setroubleshoot-server.x86_64 3.0.38-2.1.el6


The files you need be aware of are:

/var/log/messages
/var/log/audit/audit.log

There are several utilities to be aware (and refer to the man pages) of:

# audit2allow
# audit2why
# ausearch
# chcon
# getenforce
# getsebool
# restorecon
# sealert
# semanage
# semodule
# setenforce
# setsebool
# system-config-securitylevel

You will also find large measures of patience and forbearance to be of
value.

For issues about missing policies and contexts and developing same you
should monitor the SELinix policy mailing list at
refpolicy@oss1.tresys.com.

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org