FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-06-2011, 01:51 PM
"Robb III, George B."
 
Default Monitoring and prevention of MBR activity.

Hi All-
Have an interesting problem in which monitoring and preventing activity on the MBR would be very useful. *
Has anyone used SELinux for this type of task?

Thanks for any*assistance,
George
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:04 PM
Daniel J Walsh
 
Default Monitoring and prevention of MBR activity.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 09:51 AM, Robb III, George B. wrote:
> Hi All-
>
> Have an interesting problem in which monitoring and preventing
> activity on the MBR would be very useful.
>
> Has anyone used SELinux for this type of task?
>
> Thanks for any assistance,
>
> George
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Maybe if I new what MBR stood for?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mKHUACgkQrlYvE4MpobOfIQCgpdo321aB00 hzey0O4yGakvK6
YB8An3R1Jk5Pi+jWx6MP68oqa3zeE0lO
=0TAk
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:28 PM
John Reiser
 
Default Monitoring and prevention of MBR activity.

>> Have an interesting problem in which monitoring and preventing
>> activity on the MBR would be very useful.

> Maybe if I new what MBR stood for?

Master Boot Record: The first sector (hardware sector 1 [origin is 1])
of the boot drive. Usually accessed as /dev/sda, for instance:
dd if=/dev/sda count=1 of=sda.mbr # read[usual] Master Boot Record

--
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:30 PM
"Robb III, George B."
 
Default Monitoring and prevention of MBR activity.

Master Boot Record. *Apologies*for*acronyms...Literally the first 512 bytes of the boot drive.
George

On Tue, Sep 6, 2011 at 9:04 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 09/06/2011 09:51 AM, Robb III, George B. wrote:

> Hi All-

>

> Have an interesting problem in which monitoring and preventing

> activity on the MBR would be very useful.

>

> Has anyone used SELinux for this type of task?

>

> Thanks for any assistance,

>

> George

>

>

> -- selinux mailing list selinux@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/selinux



Maybe if I new what MBR stood for?

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.11 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/



iEYEARECAAYFAk5mKHUACgkQrlYvE4MpobOfIQCgpdo321aB00 hzey0O4yGakvK6

YB8An3R1Jk5Pi+jWx6MP68oqa3zeE0lO

=0TAk

-----END PGP SIGNATURE-----

--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:31 PM
Daniel J Walsh
 
Default Monitoring and prevention of MBR activity.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 10:15 AM, phil wrote:
> Usually Master Boot Record, but Microsoft has semi-equivalents for
> their removable storage, IFS Insert File System, drivespace and
> DoubleSpace, whereas the MBR is key to the partition settings for a
> hard drive, similar protections can be expected to be helpful for
> the partition controls for non-spinning systems.
>
> Using a write protected flash drive for content to prevent it's
> alteration can take advantage of spanning. Yet, hardware write
> blocking is usually global, but I have some Calluna controllers
> that allow tailoring of the blocking and access control via
> intercept of the ATA commands.
>
> But, gosh, that is all at least 10 years old tech.
>
> ----- Original Message ----- From: "Daniel J Walsh"
> <dwalsh@redhat.com> To: <selinux@lists.fedoraproject.org> Sent:
> Tuesday, September 06, 2011 7:04 AM Subject: Re: Monitoring and
> prevention of MBR activity.
>
>
> On 09/06/2011 09:51 AM, Robb III, George B. wrote:
>>>> Hi All-
>>>>
>>>> Have an interesting problem in which monitoring and
>>>> preventing activity on the MBR would be very useful.
>>>>
>>>> Has anyone used SELinux for this type of task?
>>>>
>>>> Thanks for any assistance,
>>>>
>>>> George
>>>>
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Maybe if I new what MBR stood for?
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

Ok now I recognize it, SELinux can be used to allow/prevent processes
from writing to physical disk. For example SELinux can prevent
processes including confined administrators that are running as root
from writing directly to /dev/sda.

The audit subsystem could be used to watch for processes writing to
physical disk. (SELinux could also, but auditing does a better job.

Now if you have a app/admin user process that needs to have full
access to the system but want to make sure he does not modify the MBR
you will have a difficult time writing policy for this.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mLrwACgkQrlYvE4MpobM8OQCgqrv1+CmDMG iAhR7d2tgLLaS8
8ygAn1LCzsCRv2sLdfSY4FMrhJXGcCbI
=Rg1a
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:34 PM
Frank Murphy
 
Default Monitoring and prevention of MBR activity.

On 06/09/11 15:04, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/06/2011 09:51 AM, Robb III, George B. wrote:
>> Hi All-
>>
>> Have an interesting problem in which monitoring and preventing
>> activity on the MBR would be very useful.

>
> Maybe if I new what MBR stood for?

http://en.wikipedia.org/wiki/Master_boot_record


--
Regards,

Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:34 PM
 
Default Monitoring and prevention of MBR activity.

Robb III, George B. wrote:
>
> Have an interesting problem in which monitoring and preventing activity on
> the MBR would be very useful.
>
> Has anyone used SELinux for this type of task?

Why? Most, if not all, BIOSes in the last 15 years allow you to make the
MBR unwriteable, IIRC, so that you have to be at the console, rebooting,
to go into the BIOS to change that. Some also send warning (NMI) to the
console screen if a change is being/about to be made.

That's something that, if I were worried about it, would have locked down
and not have to monitor.

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 03:06 PM
Mr Dash Four
 
Default Monitoring and prevention of MBR activity.

> Now if you have a app/admin user process that needs to have full
> access to the system but want to make sure he does not modify the MBR
> you will have a difficult time writing policy for this.
>
Not to mention that there are some tools - parted being one - which need
access (rw) to that sector of the hdd, regardless of who runs these tools.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 03:52 PM
"Robb III, George B."
 
Default Monitoring and prevention of MBR activity.

Hi All-Wonderful information and good thread. *Thanks! *
We have a piece of vendor code that is replicating several fiber attached LUNs. *We believe there is a software has a mis-configuration*causing /dev/sda vs /dev/sdaa (one of the many LUNS) to have its MBR zeroed. *

SELinux seems like an appropriate tool to at least monitor access if not allow full blocking.
Write protection is not an option as its a PERC controller and /dev/sda is the boot mirror (unless there are known alternatives)?

Thanks again all,
George


On Tue, Sep 6, 2011 at 10:06 AM, Mr Dash Four <mr.dash.four@googlemail.com> wrote:



> Now if you have a app/admin user process that needs to have full

> access to the system but want to make sure he does not modify the MBR

> you will have a difficult time writing policy for this.

>

Not to mention that there are some tools - parted being one - which need

access (rw) to that sector of the hdd, regardless of who runs these tools.



--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org