Hello All,
I am very new to setting up and using SELinux so please forgive the dumb questions, ok.
I am still trying to work out my issues with getting the network working as I am getting messages like "cannot send dump request" and "Error adding address 192.168.1.5 for eth0".
My question is really about setting up the user policies. I have a special project in which I need to confile the users to their HOME directories so that they can NEVER navigate out of them. I also need to allow them to run just a single application such as StarOffice, but still not let them navigate out of their HOME directories even through the application.
Could someone please help to tell me how I might be able to set up some policies like this?
Any help would be greatly appreciated,
Thanks,
Lonnie
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Mon, 17 Dec 2001 lonnie@outstep.com wrote:
> I am still trying to work out my issues with getting the network working as I
> am getting messages like "cannot send dump request" and "Error adding address
> 192.168.1.5 for eth0".
Check your kernel configuration for your network driver and your network options. Did you enable the Netlink support? This seems to be necessary on RH7.2.
> My question is really about setting up the user policies. I have a special
> project in which I need to confile the users to their HOME directories so that
> they can NEVER navigate out of them. I also need to allow them to run just a
> single application such as StarOffice, but still not let them navigate out of
> their HOME directories even through the application.
I raised concerns about the practical feasibility of this kind of policy in my previous response to you. However, if you really want to go down this road, you'll need to significantly pare down the example policy. You'll want to have a kernel with the Development Module option running in permissive mode so that you can easily experiment with policy changes without breaking your system.
You'll need to remove many of the file-related rules in policy/domains/every.te. This file contains rules that are applied to every domain and assumes a relatively open environment with regard to read/search access to standard filesystem locations. When you remove those rules, you'll find that many of the system domains will no longer have permissions that they need, so you will need to add back more specific rules to the individual files in policy/domains/system/*.te and policy/domains/program/*.te that grant these permissions to just the domains that need them. Then you can work on pruning the user_domain macro in policy/domains/user/user.te to something more minimal.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: lonnie_at_outstep.com
Hello Stephen,
Thanks for all of you responses to this problem.
My choices were very limited in that I really need to be able to do this, but had as my options tht were possible, either SELinux or a security application called VXE. (http://www.intes.odessa.ua/vxe/)
The problem is that VXE does not seem to be able to do the job completely and I am sure that SELinux might be of greater benefit to the project is it can be made to do this.
Actually we have a seperate specialized server set up for SELinux whose sole job will be to to handle the task that I have described to you. In this regard, then I can modify the entire system as only the special locked down users will be on this server and they will only be running the applications from the OpenOffice suite.(ie...swriter, simpress, scalc, sweb...)
With this in mind then I am willing to make any modifications to this particular server that you, or the group, might suggest.
My biggest problem is really that I am still very new to using SELinux and am unclear on many of the things that will need to be done.
Best Regards,
Lonnie
Quoting Stephen Smalley <sds@tislabs.com>:
>
> On Mon, 17 Dec 2001 lonnie@outstep.com wrote:
>
> > I am still trying to work out my issues with getting the network
> working as I
> > am getting messages like "cannot send dump request" and "Error adding
> address
> > 192.168.1.5 for eth0".
>
> Check your kernel configuration for your network driver and your
> network
> options. Did you enable the Netlink support? This seems to be
> necessary
> on RH7.2.
>
> > My question is really about setting up the user policies. I have a
> special
> > project in which I need to confile the users to their HOME directories
> so that
> > they can NEVER navigate out of them. I also need to allow them to run
> just a
> > single application such as StarOffice, but still not let them navigate
> out of
> > their HOME directories even through the application.
>
> I raised concerns about the practical feasibility of this kind of
> policy
> in my previous response to you. However, if you really want to go
> down
> this road, you'll need to significantly pare down the example policy.
> You'll want to have a kernel with the Development Module option running
> in
> permissive mode so that you can easily experiment with policy changes
> without breaking your system.
>
> You'll need to remove many of the file-related rules in
> policy/domains/every.te. This file contains rules that are applied to
> every domain and assumes a relatively open environment with regard to
> read/search access to standard filesystem locations. When you remove
> those rules, you'll find that many of the system domains will no
> longer
> have permissions that they need, so you will need to add back more
> specific rules to the individual files in policy/domains/system/*.te
> and
> policy/domains/program/*.te that grant these permissions to just the
> domains that need them. Then you can work on pruning the user_domain
> macro in policy/domains/user/user.te to something more minimal.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: lonnie_at_outstep.com
Thanks Stepnen,
That got the network up and running.
No I just need to figure out how to set up these user policies to lock the users. Your method shounds good, but I am not sure how to do it.
Best Regards,
Lonnie
Quoting Stephen Smalley <sds@tislabs.com>:
>
> On Mon, 17 Dec 2001 lonnie@outstep.com wrote:
>
> > I am still trying to work out my issues with getting the network
> working as I
> > am getting messages like "cannot send dump request" and "Error adding
> address
> > 192.168.1.5 for eth0".
>
> Check your kernel configuration for your network driver and your
> network
> options. Did you enable the Netlink support? This seems to be
> necessary
> on RH7.2.
>
> > My question is really about setting up the user policies. I have a
> special
> > project in which I need to confile the users to their HOME directories
> so that
> > they can NEVER navigate out of them. I also need to allow them to run
> just a
> > single application such as StarOffice, but still not let them navigate
> out of
> > their HOME directories even through the application.
>
> I raised concerns about the practical feasibility of this kind of
> policy
> in my previous response to you. However, if you really want to go
> down
> this road, you'll need to significantly pare down the example policy.
> You'll want to have a kernel with the Development Module option running
> in
> permissive mode so that you can easily experiment with policy changes
> without breaking your system.
>
> You'll need to remove many of the file-related rules in
> policy/domains/every.te. This file contains rules that are applied to
> every domain and assumes a relatively open environment with regard to
> read/search access to standard filesystem locations. When you remove
> those rules, you'll find that many of the system domains will no
> longer
> have permissions that they need, so you will need to add back more
> specific rules to the individual files in policy/domains/system/*.te
> and
> policy/domains/program/*.te that grant these permissions to just the
> domains that need them. Then you can work on pruning the user_domain
> macro in policy/domains/user/user.te to something more minimal.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>
>
> --
> You have received this message because you are subscribed to the selinux
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Noah silva <nsilva_at_atari-source.com>
If you want to keep them from accesing other directories, you just have to do a CHROOT, but... If they can't read files outside of their home, it could cause other problems (f.e. will StarOffice, etc. all be installed in their home folders?)
On Mon, 17 Dec 2001 lonnie@outstep.com wrote:
> Hello All,
>
> I am very new to setting up and using SELinux so please forgive the dumb
> questions, ok.
>
> I am still trying to work out my issues with getting the network working as I
> am getting messages like "cannot send dump request" and "Error adding address
> 192.168.1.5 for eth0".
>
> My question is really about setting up the user policies. I have a special
> project in which I need to confile the users to their HOME directories so that
> they can NEVER navigate out of them. I also need to allow them to run just a
> single application such as StarOffice, but still not let them navigate out of
> their HOME directories even through the application.
>
> Could someone please help to tell me how I might be able to set up some
> policies like this?
>
> Any help would be greatly appreciated,
> Thanks,
> Lonnie
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: lonnie_at_outstep.com
Actually it is ok if they can read the OpenOffice files from some other
directory, but just not other directories. For example I might place the
OpenOffice files in a /programs/OpenOffice directory and when I have a new
application then put it in the /programs directory as well into its own subdirectory
as well.
Outside of reading the programs directory, I do not want then to leave their HOME locations if that is possible.
I have been told that what I am trying to di is complete doable with SELinux so now I am looking to find the details of implementing it.
Thanks,
Lonnie
Quoting Noah silva <nsilva@atari-source.com>:
>
> If you want to keep them from accesing other directories, you just have
> to
> do a CHROOT, but... If they can't read files outside of their home, it
> could cause other problems (f.e. will StarOffice, etc. all be installed
> in
> their home folders?)
>
> -- noah silva
>
> On Mon, 17 Dec 2001 lonnie@outstep.com wrote:
>
> > Hello All,
> >
> > I am very new to setting up and using SELinux so please forgive the
> dumb
> > questions, ok.
> >
> > I am still trying to work out my issues with getting the network
> working as I
> > am getting messages like "cannot send dump request" and "Error adding
> address
> > 192.168.1.5 for eth0".
> >
> > My question is really about setting up the user policies. I have a
> special
> > project in which I need to confile the users to their HOME directories
> so that
> > they can NEVER navigate out of them. I also need to allow them to run
> just a
> > single application such as StarOffice, but still not let them navigate
> out of
> > their HOME directories even through the application.
> >
> > Could someone please help to tell me how I might be able to set up
> some
> > policies like this?
> >
> > Any help would be greatly appreciated,
> > Thanks,
> > Lonnie
> >
> > --
> > You have received this message because you are subscribed to the
> selinux list.
> > If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT