FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 11-04-2011, 12:44 AM
Stan Sander
 
Default On the right track?

Looks like I'm the second newbie in a week to introduce himself to the
list. I've been a unix/Linux systems administrator for over a decade,
and have been running Gentoo for at least the past 3 years. I have just
in the last week or so switched over to the hardened profile and am
completely new to SELinux, I know this is going to take a while, but
I'm up for it because I also know it will be good for me to gain a more
comprehensive understanding and be able to effectively manage and
properly configure a SELinux system no matter what flavor the distro
happens to be. So, thanks in advance for your patience and guidance as
I try to get my mind wrapped around all of this.

With that said, I am running ~amd64, no multilib, now with the hardened
profile. Thanks to the recently updated selinux-handbook I was able to
get switched over with only a small bump or two. That part was actually
fairly easy. I am running the strict policy in permissive mode since it
is quite obvious to me at this point I would have a severely broken
system if I switched on enforcing. Here are the policies I currently
have installed:

#semodule -l
UWimap 0.6
alsa 1.11.0
apache 2.3.0
apcupsd 1.8.0
apm 1.11.0
automount 1.13.0
bind 1.11.0
cdrecord 2.4.0
clamav 1.9.0
consolekit 1.7.0
cpucontrol 1.3.0
cpufreqselector 1.3.0
cups 1.14.0
dbus 1.15.0
dhcp 1.9.0
dmidecode 1.4.0
gpg 2.4.0
gpm 1.8.0
inetd 1.11.0
java 2.4.0
ldap 1.10.0
logrotate 1.14.0
logwatch 1.11.0
lpd 1.12.0
milter 1.3.0
mono 1.8.0
mozilla 2.4.0
mplayer 2.3.0
mysql 1.12.0
ntp 1.10.0
policykit 1.1.0
portmap 1.9.0
ppp 1.12.0
procmail 1.12.0
pyzor 2.1.0
radvd 1.13.0
rpc 1.13.0
rpcbind 1.5.0
samba 1.14.0
sasl 1.14.0
screen 2.4.0
sendmail 1.11.0
shutdown 1.1.0
skype 0.0.2
spamassassin 2.4.0
thunderbird 2.2.0
uptime 1.4.0
xscreensaver 1.0.0
xserver 3.6.0

I should also mention that my system runs mail, DNS, and web servers as
well as being used as my personal desktop system. I am running this at
home -- not work (i.e. not getting paid for doing it) I would like to
ask for some feedback from the group on my first attempt at writing
selinux rules in the form of a new policy module. I chose my imap
server (net-mail/uw-imap) which runs from xinetd, as my starting point
for analyzing the audit log entries it was generating and coming up with
some selinux rules to address them. I didn't see any pre-existing
policy in portage for the UW-imap server, though one of the other
policies may cover what is needed and what I have written is not
necessary. This policy module has eliminated all of the audit log
entries I had been seeing to date that are associated with my imap, but
that alone doesn't mean I've written a good policy. I would like for
those of you in the group who are more experienced to look this over and
offer some feedback with regard to the way I have done things. Thanks
for your time.

UWimap.if:

interface(`UWimap_domtrans',`
gen_require(`type inetd_t, user_mail_exec_t, user_mail_t;')
domtrans_pattern($1,inetd_t,user_mail_exec_t)
domtrans_pattern($1,user_mail_exec_t,user_mail_t)
')

UWimap.fc:

/usr/sbin/imapd --
gen_context(system_ubject_r:user_mail_exec_t,s0)

UWimap.te
policy_module(UWimap, 0.6)

require {
type mail_spool_t;
type user_mail_t;
type fs_t;
type chkpwd_exec_t;
type inetd_t;
class file { execute setattr read lock create execute_no_trans
write getattr link unlink open append };
class dir { write getattr remove_name add_name };
class filesystem associate;
class capability sys_resource;
class tcp_socket { read write getattr};
class fd use;
class process setrlimit;
}
type user_mail_exec_t;
application_domain(user_mail_t, user_mail_exec_t)
domain_auto_trans(inetd_t, user_mail_exec_t, user_mail_t)
allow user_mail_t fs_t:filesystem associate;
allow user_mail_t chkpwd_exec_t:file { read execute open execute_no_trans };
allow user_mail_t inetd_t:fd use;
allow user_mail_t inetd_t:tcp_socket { read write getattr};
allow user_mail_t self:file {setattr create link unlink};
allow user_mail_t self:dir {write getattr remove_name add_name};

allow inetd_t self:capability sys_resource;
allow inetd_t selfrocess setrlimit;

--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.sblan.net/tashi
 
Old 11-04-2011, 10:58 AM
"Anthony G. Basile"
 
Default On the right track?

On 11/03/2011 09:44 PM, Stan Sander wrote:
> I've been a unix/Linux systems administrator for over a decade,
> and have been running Gentoo for at least the past 3 years.

Only the first 15 years are rough. It gets easier after that. You've
got 5 more to go Welcome!

I'll let SwifT and other Selinuxers comment in detail on your policies.
I would just caution that if you keep creating policies to make every
violation disappear under all circumstanced then you're effectively
disabling selinux. So you need to examine the consequence of each rule
as you are doing, or asking us to do, which is good.

@SwifT - did you ever migrate that doc on how to debug policies to the tree?

Don't be afraid to open bugs as I said in my earlier @newbie email.

As far as the rest of your system, you'll probably want to understand
kernel and toolchain hardening as well:

http://www.gentoo.org/proj/en/hardened/

In brief:

kernel hardening = emerge hardened-sources and enable grsec/pax
grsec = turning off certain operations which can be insecure
(eg. mounting within chroots to break chroots)
pax = enforcing constraints on allocated memory

grsec also provides its own MAC system (RBAC) which you cannot have
enabled at the same time as selinux.

toolchain hardeneing = swtich to hardened profile as you have, re-emerge
gcc/glibc/binutils, re-emerge @system then @world
= ssp = protection against classic buffer overflows
= pie = helps randomize process address space
= fortify-sources = tighten up glibc

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 11-04-2011, 01:51 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default On the right track?

Welcome, pick an armchair and get confortable here near the fire.
El 04/11/11 02:44, Stan Sander escribió:
> I should also mention that my system runs mail, DNS, and web servers as
> well as being used as my personal desktop system.
Depending on your economical resources you may want to split this off
and get a server which is not as power hungry as a desktop machine tends
to be so as to reduce the amount you pay each month in your bills
regarding electricity ;-) I did so and am not regreting it.
 
Old 11-04-2011, 05:43 PM
Sven Vermeulen
 
Default On the right track?

On Fri, Nov 04, 2011 at 07:58:45AM -0400, Anthony G. Basile wrote:
> I'll let SwifT and other Selinuxers comment in detail on your policies.
> I would just caution that if you keep creating policies to make every
> violation disappear under all circumstanced then you're effectively
> disabling selinux. So you need to examine the consequence of each rule
> as you are doing, or asking us to do, which is good.

Indeed. You've probably noticed a lengthy post of mine on the previous
thread. The next is a short version:

tl;dr - Make sure that every denial you want to resolve is properly
documented (what was doing what for which reason and why is it breaking),
not just an entire denial log.

Of course, there are two (or even more) sides to consider. If the policy you
sent out is working for you but you have no desire to maintain it for more
people (or get it in a manageable way for others to take up maintenance)
then the policy is more than fine. After all, you're the security
administrator for your system, so you control the security policies the way
you please.

However, if the policy is meant to be included in Gentoo, we try to follow
the style mandated by the reference policy [1], one of which includes that
the .te and .if file should never directly mention domains (like
user_home_t) if that domain is not created by that .te file. If you need to
give privileges on your domain for user_home_t (or other domains), please
try using the interfaces defined in those domains instead.

[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide and links from
that page

> @SwifT - did you ever migrate that doc on how to debug policies to the tree?

Yup, it's at [2] and should still be up to date (you never know ;-) I'm
going to make this a bit easier for folks by requesting infra a git repo
where we can develop SELinux policy patches more easily (currently it is
done on github [3] and [4]).

[2] http://www.gentoo.org/proj/en/hardened/selinux-development.xml
[3] https://github.com/sjvermeu/hardened-refpolicy
[4] https://github.com/sjvermeu/small.coding/tree/HEAD/selinux-modules/patches

Wkr,
Sven Vermeulen
 
Old 11-05-2011, 02:13 AM
Stan Sander
 
Default On the right track?

On 11/04/2011 12:43 PM, Sven Vermeulen wrote:
>
> However, if the policy is meant to be included in Gentoo, we try to follow
> the style mandated by the reference policy [1], one of which includes that
> the .te and .if file should never directly mention domains (like
> user_home_t) if that domain is not created by that .te file. If you need to
> give privileges on your domain for user_home_t (or other domains), please
> try using the interfaces defined in those domains instead.
>
Anthony and Sven,

Thanks so much for your responses and for the fine documentation. As I
learn more (and ask more questions) I may begin to offer patch
suggestions and clean up the module I have written so that it can be
used by others if needed. Right now, I've got a lot of learning to do.

--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org
 

Thread Tools




All times are GMT. The time now is 12:53 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org