After months of thinking about it I have finally gotten around to
installing SELinux. Very impressive. I am comparing and contrasting it to
LIDS and it seems that SELinux is far more flexible although LIDS was far
easier to figure out.
I am having problems understanding how to define policies and how the roles, domains, types, etc. work to do this. I am slowly making my way through the documentation on the web site but I find most of it to be quite inscrutable. Has anyone written up a general tutorial on how all of this stuff works in practice?
-- Tracy Reed http://www.ultraviolet.org My karma ran over your dogma.From: Stephen Smalley <sds_at_tislabs.com>-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- application/pgp-signature attachment: stored
On Fri, 16 Nov 2001, Tracy R Reed wrote:
> I am having problems understanding how to define policies and how the
> roles, domains, types, etc. work to do this. I am slowly making my way
> through the documentation on the web site but I find most of it to be
> quite inscrutable. Has anyone written up a general tutorial on how all of
> this stuff works in practice?
I don't think anyone has written a general tutorial. However, you'll find quite a bit of useful information in the security server section of the first technical report, the entire second technical report, and the OLS 2001 paper, all of which are on the web site. Several people outside of the SELinux project have already contributed to the example policy configuration, including both refinement of the existing domains and new domains (e.g. Mark Westerman's mount_t, ipsec_t and gdm_t domains, Yuichi Nakamura's named_t domain, David Wheeler's ping_t and hwclock_t domains). Feel free to ask specific questions about policy configuration on the list.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Tracy R Reed <treed_at_ultraviolet.org>
On Mon, Nov 19, 2001 at 08:37:53AM -0500, Stephen Smalley wrote:
> I don't think anyone has written a general tutorial. However, you'll find
> quite a bit of useful information in the security server section of the
> first technical report, the entire second technical report, and the OLS
> 2001 paper, all of which are on the web site. Several people outside of
Thanks. I am slowly making progress. Over the last few nights I've been going though "A Security Policy Configuration for the Security-Enhanced Linux" in the documentation section and I have noticed that I get a 404 if I stop reading and pick it up again later. Looks like the url changes periodically. Odd.
A policy question: I didn't have apache installed at the time I installed SELinux but now I want to install, make it run some useful web app, and try to secure it. SELinux seems to come with a policy for the stock apache install so I installed the rpm that normally comes with RH6.1.
Then I did:
make relabel && make load
Just to make sure the newly installed files get assigned the right type and the policy gets compiled and loaded. But when I try to start apache I get permission denied:
[root@tracy policy]# /etc/rc.d/init.d/httpd start
Starting httpd: execvp: Permission denied
[root@tracy init.d]# /usr/sbin/httpd
bash: /usr/sbin/httpd: Permission denied
[root@tracy init.d]#
[root@tracy init.d]# ls -la /usr/sbin/httpd
-rwxr-xr-x 1 root root 337500 Mar 29 2001 /usr/sbin/httpd
[root@tracy init.d]# ls -la --context /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t
/usr/sbin/httpd
What am I missing here?
Also, I notice that when I log in as the user "jdoe" and do an ls -la on / the jdoe user sees this:
ls: lost+found: Permission denied
ls: ...security: Permission denied
Not much good for hiding files is it?
As a result of the ls I get this in the messages file:
Nov 21 01:03:53 bench3 kernel: avc: denied { getattr } for pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
Nov 21 01:03:53 bench3 kernel: scontext=jdoe:user_r:user_t
Nov 21 01:03:53 bench3 kernel: tcontext=system_u:object_r:file_labels_t
Nov 21 01:03:53 bench3 kernel: tclass=dir
I'm not sure if I would really want the ls of every user in / to set that off but even more of a problem is that the message takes up four lines in the messages file. I normally run logcheck once an hour which sends me anything interesting from the logfiles after filtering out the bits I have deemed non-interesting so it would be quite convenient to have it all on one line.
-- Tracy Reed http://www.ultraviolet.orgFrom: Tracy R Reed <treed_at_ultraviolet.org>-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- application/pgp-signature attachment: stored
On Wed, Nov 21, 2001 at 01:32:04AM -0800, Tracy R Reed wrote:
> Just to make sure the newly installed files get assigned the right type
> and the policy gets compiled and loaded. But when I try to start apache I
> get permission denied:
>
> [root@tracy policy]# /etc/rc.d/init.d/httpd start
> Starting httpd: execvp: Permission denied
I just discovered in the docs:
No domain is currently allowed to bind http_port_t
Why have fully defined policies for running apache if it isn't allowed to bind to the port? How can I allow this?
-- Tracy Reed http://www.ultraviolet.orgFrom: Stephen Smalley <sds_at_tislabs.com>-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- application/pgp-signature attachment: stored
On Wed, 21 Nov 2001, Tracy R Reed wrote:
> No domain is currently allowed to bind http_port_t
>
> Why have fully defined policies for running apache if it isn't allowed to
> bind to the port? How can I allow this?
The technical reports aren't up-to-date. The first report (Integrating Flexible Support for Security Policies into the Linux Operating System) still describes the design and implementation of the original 2.2-based SELinux kernel patch, not the LSM-based SELinux security module. We're working on a new technical report that describes the LSM-based SELinux security module. The second technical report (A Security Policy Configuration for the Security-Enhanced Linux) describes the original example security policy configuration that was developed for the original SELinux on RH6.1, and doesn't reflect subsequent changes. Much of it is still applicable, but this particular note about http_port_t is not true in the current example policy.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Wed, 21 Nov 2001, Tracy R Reed wrote:
> Thanks. I am slowly making progress. Over the last few nights I've been
> going though "A Security Policy Configuration for the Security-Enhanced
> Linux" in the documentation section and I have noticed that I get a 404
> if I stop reading and pick it up again later. Looks like the url changes
> periodically. Odd.
Everything on the web site is updated for a new release, and the release timestamp is appended to the technical report filenames, just like the archive and patch filenames, so the URL changes with each release. Not sure if there is any point in timestamping these documents, since these technical reports haven't been changed in quite a while.
> A policy question: I didn't have apache installed at the time I installed
> SELinux but now I want to install, make it run some useful web app, and
> try to secure it. SELinux seems to come with a policy for the stock apache
> install so I installed the rpm that normally comes with RH6.1.
Just a side note - we're using RH7.1 as our base platform currently for the LSM-based SELinux prototype. We are also investigating transitioning to RH7.2 (but the latter is pending on 2.4.15 for ext3 support, upgrading the modified utilities, and updating the policy).
> [root@tracy policy]# /etc/rc.d/init.d/httpd start
> Starting httpd: execvp: Permission denied
> [root@tracy init.d]# /usr/sbin/httpd
> bash: /usr/sbin/httpd: Permission denied
Right. You need to be logged into the sysadm_t domain and you need to use the run_init program to run init scripts. Otherwise the script isn't run in the proper security context and fails.
> Also, I notice that when I log in as the user "jdoe" and do an ls -la on /
> the jdoe user sees this:
>
> ls: lost+found: Permission denied
> ls: ...security: Permission denied
>
> Not much good for hiding files is it?
SELinux doesn't try to hide individual filenames within a directory. If a process has read permission to a directory, it can see all names in that directory. But the process might not have getattr permission to individual files, so it may not be able to stat the file for a 'ls -l'. Filenames are part of the directory's state, not part of the file's state. Hiding filenames would be possible by filtering directory reads, as is done in some other systems, but it isn't clear it is worth the cost.
Multi-Level Secure (MLS) systems frequently provide a partitioned directory mechanism known as multi-level directories for things like /tmp, where a process is transparently redirected to a dynamically created subdirectory of /tmp based on its security level. The SELinux architecture includes support for a generalization of this idea, but we haven't implemented the corresponding mechanism in the filesystem. See the discussion of polyinstantiation and security union directories in the Flask paper. This hasn't been a high priority for us yet.
> As a result of the ls I get this in the messages file:
>
> Nov 21 01:03:53 bench3 kernel: avc: denied { getattr } for pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
> Nov 21 01:03:53 bench3 kernel: scontext=jdoe:user_r:user_t
> Nov 21 01:03:53 bench3 kernel: tcontext=system_u:object_r:file_labels_t
> Nov 21 01:03:53 bench3 kernel: tclass=dir
>
> I'm not sure if I would really want the ls of every user in / to set that off
> but even more of a problem is that the message takes up four lines in the
> messages file. I normally run logcheck once an hour which sends me
> anything interesting from the logfiles after filtering out the bits I have
> deemed non-interesting so it would be quite convenient to have it all on
> one line.
I suppose we could grant getattr permission to these types without any real harm. Alternatively, you can configure the policy to disable auditing of specific permissions through the use of the auditdeny rules. This is already done in several cases in the example policy.
With regard to putting the AVC messages into a single line, that was the original format, but I think it was changed later at someone's request to make it easier to read on the console. Personally, I would tend to agree that each AVC audit message belongs on a single line, so I'm ok with changing it back, but I don't know if this will bother anyone else.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: L. T. Seet <lt.seet_at_student.qut.edu.au>
Hi,
I tried to download the technical report titled "A security policy configuration for the security-enhanced linux." from the SELinux website but to no avail. The response quoted below indicates that the file cannot be found on the server.
"The requested URL /selinux/doc/policy-200110161355.pdf was not found on this server."
Is this because of the server is down ?
L.T. Seet
ISRC, QUT
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Wed, 21 Nov 2001, L. T. Seet wrote:
> I tried to download the technical report titled "A security policy
> configuration for the security-enhanced linux." from the SELinux website
> but to no avail. The response quoted below indicates that the file cannot
> be found on the server.
>
> "The requested URL /selinux/doc/policy-200110161355.pdf was not found on
> this server."
That's the URL from the previous release, so you probably have a stale cached copy of the policy-abs.html file that still uses the old URL. Try reloading the page and then selecting the PDF document.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT